[squid-users] How squid sends sni to icap server?

lucas.alvaro at laposte.net lucas.alvaro at laposte.net
Sun Aug 6 20:11:13 UTC 2017 

>> Hi everyone, 
>> I have a transparent proxy squid 3.5.26 with C-ICAP and here are the 
>> important lines: 
>> " 
>> icap_enable on 
>> icap_send_client_ip on 
>> icap_send_client_username on 
>> icap_client_username_header X-Authenticated-User 
>> icap_preview_enable on 
>> icap_preview_size 1024 
>> icap_service service_avi_req reqmod_precache icap://localhost:1344/echo 
>> bypass=off 
>> adaptation_access service_avi_req allow all 
>> icap_service service_avi_resp respmod_precache 
>> icap://localhost:1344/echo bypass=off 
>> adaptation_access service_avi_resp allow all 
>> 
>> #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf 
>> 
>> 
>> http_port 3128 
>> http_port 3129 intercept 
>> https_port 3130 intercept ssl-bump \ 
>> cert=/etc/squid/ssl_cert/myCA.pem \ 
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB 
>> 
>> #acl step1 at_step SslBump1 
>> #acl step2 at_step SslBump2 
>> #acl step3 at_step SslBump3 
>> 
>> ssl_bump peek all 
>> ssl_bump bump all 
> 
>NP: Peeking at step 2 precludes bumping. 
> 
>> logformat squid %ssl::>sni 
> 
>Please do not redefine the built-in format name "squid". Use a custom 
>name for custom formats. 
> 

Ok it will be done 

> 
>> adaptation_meta X-SNI "%ssl::>sni" all #or connect 
>> #request_header_add X-SNI "%ssl::>sni" all 
>> " 
>> 
>> 
>> So i want to create an icap service like squidclamav but it must check 
>> SNI not URLs. 
> 
>Any particular reason why? 
> SNI has almost nothing to do with the HTTP messages (plural). It is 
> simply the name of the next-hop server (or proxy) they should be 
> delivered to on their way around the web. 
> 
>I thought squidclamav was an antivirus, not a URL blocklist checker. 
> 
You're right: squidclamav is an antivirus but there are much more services, actually he can check url and match them to blacklist or whitelist. 
I don't want to decrypt https trafic but i want to know where the client is trying to connect. I thought SNI was the only way to know the server name and the domain without decrypting anything. 

Final goal is to blacklist for exemple google and when sni indicates www.google.com, c-icap denies the access. 

> 
>> I peek all the steps to get sni and in the squid access log, sni is 
>> printed . 
>> 
>> I read that adaptation_meta can send anything from squid to icap but 
>> clearly i use it incorretly: i can't see sni on icap access log or in 
>> icap headers. 
> 
> Your usage appears to be correct. I think there is no SNI being received 
> by Squid. 

That's problematic because in my squid access log there are "www.youtube.com" "www.google.com", that's exactly what i'm tryng to pass to c-icap. Seems like squid receives the sni. 

>> Does adaptation_meta create a icap headers ? 
> 
>It does. 
> 
>> Or should i use 
>> add_request_headers? 
> 
>No, that would add HTTP headers to the outgoing messages (to server or 
>to client). 
>> 
>> I know that squid can create a 2nd fake connect with sni but here again 
>> icap just print the same connect 2 times 
>> 
> 
>That is correct, however SNI is not always sent by clients. Squid can 
>only use what it is given. 
> 
>If there is an SNI in that particular clientHello you have hit a bug in 
>Squid. 
> 
>Amos 

Thanks Amos for the reply. 

>________ ______________________________________ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170806/e1479fcd/attachment.html>

More information about the squid-users mailing list