[squid-users] SslBump Peek and Splice using Squid-4.1-5 in Amazon1 Linux with Squid Helpers

Mike Quentel mike.quentel.rbc at gmail.com
Tue Dec 11 15:41:56 UTC 2018 

Hi, I have been unsuccessfully trying to get Squid-4.1-5 in AWS
(Amazon 1 Linux) to allow transparent proxy of certain domains, as
well as IPs associated with those domains, whilst rejecting everything
else.

I have been referencing documentation at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

Version of Squid: 4.1-5 for Amazon 1 Linux available at
http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/ (many thanks to
@elico for these packages) specifically, the following:

1) http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-4.1-5.amzn1.x86_64.rpm
2) http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-helpers-4.1-5.amzn1.x86_64.rpm

Example of tests that I am running:

1) curl -kv https://service.us2.sumologic.com (EXPECTED: successfully
accessed; OBSERVED: successfully accessed)
2) curl -kv https://54.149.155.70 (EXPECTED: successfully accessed
because it resolves to service.us2.sumologic.com; OBSERVED:
"Certificate does not match domainname"  [No Error] (TLS code:
SQUID_X509_V_ERR_DOMAIN_MISMATCH))
3) curl -kv https://www.google.com (EXPECTED: failed to access;
OBSERVED: failed to access)
4) curl -kv https://172.217.13.164 (EXPECTED: failed to access;
OBSERVED: "Certificate does not match domainname"  [No Error] (TLS
code: SQUID_X509_V_ERR_DOMAIN_MISMATCH))

Below is the latest version of the squid.conf being used. Apologies
for any obvious errors--new to Squid here. I have been grappling with
this for weeks, with many iterations of squid.conf so any advice is
greatly appreciated; many thanks in advance.

---

visible_hostname squid

host_verify_strict off

# Handling HTTP requests
http_port 3128
http_port 3129 intercept

sslcrtd_children 10

acl CONNECT method CONNECT

# AWS services domain
acl allowed_http_sites dstdomain .amazonaws.com
# docker hub registry
acl allowed_http_sites dstdomain .docker.io
acl allowed_http_sites dstdomain .docker.com
acl allowed_http_sites dstdomain www.congiu.net

# Handling HTTPS requests
# https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem
https_port 3130 intercept ssl-bump dynamic_cert_mem_cache_size=100MB
cert=/etc/squid/squid.pem
acl SSL_port port 443

# AWS services domain
acl allowed_https_sites ssl::server_name .amazonaws.com
# docker hub registry
acl allowed_https_sites ssl::server_name .docker.io
acl allowed_https_sites ssl::server_name .docker.com

# project specific
acl allowed_https_sites ssl::server_name www.congiu.net
acl allowed_https_sites ssl::server_name mirrors.fedoraproject.org
acl allowed_https_sites ssl::server_name mirror.csclub.uwaterloo.ca

# nslookup resolved IPs for collectors.sumologic.com
# workaround solution to support sumologic collector
acl allowed_https_sites ssl::server_name .sumologic.com
# THE FOLLOWING TWO LINES DO NOT SEEM TO WORK AS EXPECTED
# acl allowed_https_sites ssl::server_name --server-provided
service.sumologic.com sslflags=DONT_VERIFY_PEER
# acl allowed_https_sites ssl::server_name --server-provided
service.us2.sumologic.com sslflags=DONT_VERIFY_PEER

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
# http://lists.squid-cache.org/pipermail/squid-users/2018-September/019150.html
ssl_bump bump
ssl_bump splice step3 allowed_https_sites
ssl_bump bump
ssl_bump terminate step2 all

http_access allow CONNECT

# http_access allow SSL_port

http_access deny CONNECT !allowed_https_sites
http_access deny CONNECT !allowed_http_sites
http_access allow allowed_https_sites
http_access allow allowed_http_sites
http_access deny all

cache deny all

debug_options "ALL,9"

More information about the squid-users mailing list