[squid-users] Web Whatsapp, Dropbox... problem

Chico Venancio chicocvenancio at gmail.com
Mon Sep 12 16:38:59 UTC 2016 

According to the logs bump was being performed before the change, so I
don't follow.

If the lack of an acl step1 SslBump1 was the problem he would have no bumps
or bumps with incorrect host names in the certificates. Right now it seems
he either is bumping some connect request whatsapp doesn't want to be MITM
or he is outright denying something, maybe something else entirely, without
logs we cannot be sure.
Chico Venancio

Em 12/09/2016 12:46, "Yuri Voinov" <yvoinov at gmail.com> escreveu:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Both of you are caught in the access control list, completely lost sight
> of that op basically wrote the wrong general rules for bump, skipped step1
> - SslBump1.
>
> Which can be splice by server name without peek performing? Yes?
>
> That is why he did not work. All the rest is not fundamental cosmetics and
> can be written and debugged later.
>
> 12.09.2016 21:40, Marcus Kool пишет:
> >
> >
> > On 09/12/2016 12:15 PM, Chico Venancio wrote:
> >> I'd think a regex consumes a lot more resources than server name, but
> don't know if it is significant.
> >> Anyway, without more details we can't be sure the server name not
> matching is the problem.
> >>
> >> We need access logs and client(browser) details.
> >>
> >> By the way, acl excludeSSL ssl::server_name web.whatsapp.com
> <http://web.whatsapp.com> <http://web.whatsapp.com>
> >> Would not work, whatsapp uses some subdomains that also should not be
> bumped.
> >
> > squid.conf.documented seems to imply that you can add a dot to match the
> subdomains also, just like with dstdomain :
> >    acl excludeSSL ssl::server_name .web.whatsapp.com
> >
> > Be careful with the regex, it matches also web.whatsapp.com-24.site: it
> needs a $
> >
> > Marcus
> >
> >> Chico Venancio
> >>
> >>
> >> Em 12/09/2016 11:42, "Yuri Voinov" <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com> <yvoinov at gmail.com>> escreveu:
> >>
> >>
> > Because ssl :: server_name_regex works reliably. As shown by my personal
> > practice. But in general it is by op's choice.
> >
> >
> > 12.09.2016 20:38, Marcus Kool пишет:
> >
> >
> > > On 09/12/2016 11:14 AM, Yuri Voinov wrote:
> >
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA256
> >
> > >> Oooops,
> >
> > >> acl must be:
> >
> > >> acl excludeSSL ssl::server_name_regex web\.whatsapp\.com
> >
> > > why a regex?
> > > why not the following ?
> > >    acl excludeSSL ssl::server_name web.whatsapp.com
> <http://web.whatsapp.com> <http://web.whatsapp.com>
> >
> > > Marcus
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org <mailto:squid-users at lists.
> squid-cache.org> <squid-users at lists.squid-cache.org>
> > > http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
> <http://lists.squid-cache.org/listinfo/squid-users>
> >
> >>
> >>
> >>     _______________________________________________
> >>     squid-users mailing list
> >>     squid-users at lists.squid-cache.org <mailto:squid-users at lists.
> squid-cache.org> <squid-users at lists.squid-cache.org>
> >>     http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
> <http://lists.squid-cache.org/listinfo/squid-users>
> >>
> >>
> >>
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJX1s2fAAoJENNXIZxhPexGRXoH/2TnA1g+DuwwXsg5qugSngC/
> 3mcMtqtSZ8szaESp0ofCuGvB7f3pYU3pOpm6OAumyDDIO9bVmHX7QLDK4hkNWaUo
> f8BICxg/zqDbIxLOJyMRo9kCyT3CT1hUd7F/EtvAAcAUk68blAKupksYZ5gDSeN6
> gY13RLeWoNgsaIZL+LgztRf8bKGepIK9vGFyIPvKXxYP0dey4/zndyjQbRf1ggtV
> E8K/0xU6zaflcggKFPjBHWpekATRoza09/+BT8T/THndf1CBybmAo7wOGi1oG6nu
> 1qw3H2X32DyDjIOQ+YV6NVjSDb0jPaj/taanT3W5F1/VNhFshyw/IjIPLeoYw9k=
> =TMa5
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160912/bcef6b98/attachment.html>

More information about the squid-users mailing list