[squid-users] Have issue with "https_port ssl-bump intercept"
squid3 at treenet.co.nz
Thu Aug 16 11:17:24 UTC 2018
On 16/08/18 21:15, pius wrote:
> We are planning to control the traffic that goes out from the network. Few
> of them are HTTPS. we managed to whitelist HTTP traffic that going out the
> network. And we are really happy about it. Now only worry we got is the
> HTTPS traffic.
> I listen 2 port in squid. 3129(HTTP) and 3130 (HTTPS).
> When we communicate https traffic to the outside world, we prefer to use
> 3130 so that we will have an end to end encryption. But at the same time, I
> need to whitelist some domain name so that only those domain name can be
> communicated safely. Is this is possible in squid?
Yes, provided that:
1) only the domain name is wanted, and
2 a) the client sends TLS SNI, and
2 b) the server certificate confirms the TLS SNI
In that one case, you can use SSL-Bump peek and splice to retain the
acl whitelist ssl::server_name ...
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek all
ssl_bump splice whitelist
ssl_bump terminate all
NP: you will still have to configure Squid with a self-signed CA cert
for the odd situations when Squid has to 'bump' to deliver errors to the
Care also has to be taken to "allow" the CONNECT messages SSl-Bump
processing uses. These may appear in http_access etc. with raw-IP:port
only OR with non-whitelisted domains from TLS SNI.
The above config will only whitelist after the server cert is known and
should terminate TLS without any HTTP(S) error page being delivered to
clients - but can only do so if http_access does _not_ cause a "deny"
part way through the handshake (eg from on-whitelisted SNI names).
BTW; Please also be aware that TLS is *not* "end-to-end". It is only
point-to-point encryption. It is a mistake to think of it as fully
end-to-end. There are very likely multiple HTTP(S) network hops at both
client and server ends which are encrypted differently or unencrypted.
More information about the squid-users