[squid-users] Squid generated certificate for IP rather than domain when using ssl_bump

Shanmugam Sundaram shanmuga_karna at yahoo.com
Mon Apr 17 16:55:16 UTC 2017 

Hi Alex, 

Thank you. Yes, there are http_access rules

I have included the entire configuration file (Sorry, I'm new to Squid)The goal is to splice only whitelist (github.com) and terminate all other domains.

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem

visible_hostname squid.internal

acl localnet src 172.16.0.0/16
acl http_whitelist dstdomain .github.comacl whitelist ssl::server_name .github.com

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1025-65535  # unregistered ports
acl step1 at_step SslBump1
acl step2 at_step SslBump2

acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow http_whitelist localnethttp_access deny all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice whitelist
ssl_bump bump all
via offforwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
 -Shan 

    On Monday, April 17, 2017 10:10 PM, Alex Rousskov <rousskov at measurement-factory.com> wrote:
 

 On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:

> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.

> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
> 
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
> 
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
> 
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
> 
> Please help me fixing the issue.

Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?

What does access.log say?

Alex.



   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170417/a98451dc/attachment-0001.html>

More information about the squid-users mailing list