[squid-users] Working peek/splice no longer functioning on some sites

James Lay jlay at slave-tothe-box.net
Fri Nov 24 19:30:41 UTC 2017


Topic says it...this setup has been working well for a long time, but
now there are some sites that are failing the TLS handshake.  Here's my
setup:

acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all


ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER 
#sslproxy_options ALL

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump
cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem  generate-host-
certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE


logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
%ssl::>cert_subject %>Hs %<st %Ss:%Sh 

access_log syslog:daemon.info mine 

refresh_pattern -i (cgi-bin|\?)	0	0%	0
refresh_pattern .		0	20%	4320

coredump_dir /opt/var 

For example, the file http_url.txt contains:

account\.elderscrollsonline\.com
\.elderscrollsonline\.com
elderscrollsonline\.com


After doing some reading it looks like this is http2 traffic:  https://
wiki.squid-cache.org/Features/HTTP2.

Is there anything I can do to continue using squid with more and more
sites using http2?  Pcap enclosed..thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171124/661bddfc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.pcap
Type: application/vnd.tcpdump.pcap
Size: 1095 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171124/661bddfc/attachment.pcap>


More information about the squid-users mailing list