[squid-users] Squid Peek and splice

admin admin at tisiz72.ru
Tue May 17 10:51:41 UTC 2016 

I have the same config, but in my logs domain names 

Reet Vyas писал 2016-05-17 15:48:

> Here is my txt file, as of now its working but I am getting secure connection failed, I want to know if we can customize error message like Access Denied . 
> 
> In logs I am not getting  full URL PFA logs for same. What I have to change  in peek and splice  ssl bump to get full URL ? 
> 
> Logs: 
> 
> 3481340.025      0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 [1] - HIER_NONE/- - 
> 1463481340.037      0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 [1] - HIER_NONE/- - 
> 1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT 74.125.68.100:443 [2] - ORIGINAL_DST/74.125.68.100 [3] - 
> 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 74.125.130.189:443 [6] - ORIGINAL_DST/74.125.130.189 [7] - 
> 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT 74.125.68.239:443 [8] - ORIGINAL_DST/74.125.68.239 [9] - 
> 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT 74.125.68.100:443 [2] - ORIGINAL_DST/74.125.68.100 [3] - 
> 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 216.58.199.141:443 [10] - ORIGINAL_DST/216.58.199.141 [11] - 
> 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 216.58.220.5:443 [12] - ORIGINAL_DST/216.58.220.5 [13] - 
> 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT 74.125.68.132:443 [14] - ORIGINAL_DST/74.125.68.132 [15] - 
> 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 74.125.200.138:443 [16] - ORIGINAL_DST/74.125.200.138 [17] - 
> 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT 74.125.130.189:443 [6] - ORIGINAL_DST/74.125.130.189 [7] - 
> 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT 216.58.199.165:443 [24] - ORIGINAL_DST/216.58.199.165 [25] - 
> 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT 74.125.130.101:443 [26] - ORIGINAL_DST/74.125.130.101 [27] - 
> 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT 162.213.33.48:443 [30] - ORIGINAL_DST/162.213.33.48 [31] - 
> 1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 216.58.220.3:443 [32] - ORIGINAL_DST/216.58.220.3 [33] - 
> 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT 74.125.130.94:443 [34] - ORIGINAL_DST/74.125.130.94 [35] - 
> 1463481614.460 444470 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT 74.125.200.189:443 [36] - ORIGINAL_DST/74.125.200.189 [37] - 
> 1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT 216.58.199.165:443 [24] - ORIGINAL_DST/216.58.199.16 [38] 
> 
> On Tue, May 17, 2016 at 3:33 PM, Reet Vyas <reet.vyas28 at gmail.com> wrote:
> 
> Here is my txt file, as of now its working but I am getting secure connection failed, I want to know if we can customize error message like Access Denied . 
> 
> In logs I am not getting  full URL PFA logs for same. What I have to change  in peek and splice  ssl bump to get full URL ? 
> 
> On Tue, May 17, 2016 at 3:21 PM, admin <admin at tisiz72.ru> wrote:
> 
> get your blocked_https.txt 
> 
> Reet Vyas писал 2016-05-17 14:47:
> 
> Hi 
> 
> Below is my squid configuration  
> 
> Squid : 3.5.13 
> OS ubuntu 14.04 
> 
> http_port 3128 
> http_port 3127 intercept 
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH 
> 
> always_direct allow all 
> sslproxy_cert_error allow all 
> sslproxy_flags DONT_VERIFY_PEER 
> acl blocked ssl::server_name  "/etc/squid/blocked_https.txt" 
> acl step1 at_step SslBump1 
> ssl_bump peek step1 
> ssl_bump terminate blocked 
> ssl_bump splice all 
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB 
> sslcrtd_children 16 startup=1 idle=1 
> sslproxy_capath /etc/ssl/certs 
> sslproxy_cert_error allow all 
> ssl_unclean_shutdown on 
> 
> I want to block facebook.com [39] so I have added url in .txt file. 
> 
> Its not blocking anything. 
> 
> Please let me know what I have to change in this configuration 
> 
> I getting below logs in squid 
> 
> 1463478160.585    551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478160.585    550 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478161.147    562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478161.147    561 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478163.982    553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478163.982    552 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478163.994    565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478163.994    564 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443 [42] - HIER_NONE/- - 
> 1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT geo.query.yahoo.com:443 [43] - ORIGINAL_DST/106.10.137.175 [44] - 
> 
> 1463478194.373     61 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 [45] - 
> 1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443 [46] - HIER_NONE/- - 
> 1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT translate.googleapis.com:443 [47] - ORIGINAL_DST/74.125.200.239 [48] - 
> 1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 [20] - HIER_NONE/- - 
> 1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT clients4.google.com:443 [49] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443 [50] - HIER_NONE/- - 
> 1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT graph.facebook.com:443 [51] - ORIGINAL_DST/31.13.79.246 [52] - 
> 1463478224.432     33 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463478231.727    555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478231.727    555 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478232.311    572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 [40] - HIER_NONE/- - 
> 1463478232.311    571 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 [41] - HIER_NONE/- - 
> 1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443 [36] - HIER_NONE/- - 
> 1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT 0.client-channel.google.com:443 [53] - ORIGINAL_DST/74.125.200.189 [37] - 
> 1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 [20] - HIER_NONE/- - 
> 1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT clients5.google.com:443 [54] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443 [55] - HIER_NONE/- - 
> 1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT geo.yahoo.com:443 [56] - ORIGINAL_DST/106.10.199.11 [57] - 
> 1463478327.555     41 192.168.0.66 TCP_MISS/200 2323 GET http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data - ORIGINAL_DST/216.58.220.3 [33] text/html 
> 
> On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
>> Hi Amos/Yuri,
>> 
>> Currently my squid is configured with ssl bump, now I want to use peek and
>> splice. I read in some forum that we don't need to install certificate on
>> client's machine.
>> 
> 
> Splice does not require it. But what you want to do with Squid may
> prevent splice being used. So "it depends" ...
> 
>> As I have already asked before in mailing list to install SSL certificate
>> on Android devices, which is not working.
>> 
>> So my question is If I want to use peek and splice for example I want https
>> filtering for
> 
> ... on how you define "filter".
> 
>> proxy websites
> 
> Not sure what you mean by that term.
> 
>> and I dont want ssl for bank websites and
>> facebook youtube and gmail. how will it work? Do i need to install SSL
>> certifcate on client or not, I am bit confused with peek and splice thing.
> 
> When you intercept port 443 normally only the raw-IP is available from
> TCP. Peek allows Squid to get the server name the client was trying to
> connect to out of the TLS. So that Squid can handle the intercepted
> connection as if it had received a CONNECT message (which usually have
> server/domain names).
> 
> Splicing can be thought of as handling a intercepted port 443 connection
> as if it were a CONNECT message, with no decryption. It is treated as a
> single "thing", with some limited control possibilities.
> 
> So...
> 
> In order to bump (decrypt) some traffic and splice (not decrypt) other
> traffic you need to have a way to decide which type is being dealt with.
> That is the peek or stare actions - to get data out of the TLS handshake
> for you to use in ACL decisions.
> 
> You might now want to re-read the SslPeekAndSplice documentation again
> to see if you understand it better. I skipped a lot of important details
> to make the description clear.
> 
>> 
>> Please let me know is that possible to configure squid 3.5.19 in such a way
>> so that it will bump  only proxy websites not FB youtube etc.
>> 
> 
> Ah. So what are these "proxy websites" you speak of ?
> 
> One thing you need to be clear about is that once the TCP packets enter
> Squid they *have* to be "proxied". There is no way to undo TCP accept()
> and read() operations. But there are many ways of handling them that
> Squid can do.
> 
> PS. you could post your existing config so we can suggest alterations to
> it that will lead to it doing your new policy. That can be another way
> to learn how the relevant-to-you part of the features work without
> diving into the full complexity of what *might* be doable.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 

Links:
------
[1] http://31.13.79.220:443
[2] http://74.125.68.100:443
[3] http://74.125.68.100
[4] http://216.58.199.133:443
[5] http://216.58.199.133
[6] http://74.125.130.189:443
[7] http://74.125.130.189
[8] http://74.125.68.239:443
[9] http://74.125.68.239
[10] http://216.58.199.141:443
[11] http://216.58.199.141
[12] http://216.58.220.5:443
[13] http://216.58.220.5
[14] http://74.125.68.132:443
[15] http://74.125.68.132
[16] http://74.125.200.138:443
[17] http://74.125.200.138
[18] http://216.58.199.131:443
[19] http://216.58.199.131
[20] http://216.58.199.142:443
[21] http://216.58.199.142
[22] http://216.58.199.206:443
[23] http://216.58.199.206
[24] http://216.58.199.165:443
[25] http://216.58.199.165
[26] http://74.125.130.101:443
[27] http://74.125.130.101
[28] http://216.58.199.129:443
[29] http://216.58.199.129
[30] http://162.213.33.48:443
[31] http://162.213.33.48
[32] http://216.58.220.3:443
[33] http://216.58.220.3
[34] http://74.125.130.94:443
[35] http://74.125.130.94
[36] http://74.125.200.189:443
[37] http://74.125.200.189
[38] http://216.58.199.16
[39] http://facebook.com
[40] http://107.170.47.181:443
[41] http://freevideodownloader.co:443
[42] http://106.10.137.175:443
[43] http://geo.query.yahoo.com:443
[44] http://106.10.137.175
[45] http://216.58.199.163
[46] http://74.125.200.239:443
[47] http://translate.googleapis.com:443
[48] http://74.125.200.239
[49] http://clients4.google.com:443
[50] http://31.13.79.246:443
[51] http://graph.facebook.com:443
[52] http://31.13.79.246
[53] http://0.client-channel.google.com:443
[54] http://clients5.google.com:443
[55] http://106.10.199.11:443
[56] http://geo.yahoo.com:443
[57] http://106.10.199.11
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160517/f9a570f4/attachment-0001.html>

More information about the squid-users mailing list