[squid-users] SslBump Peek and Splice using Squid-4.1-5 in Amazon1 Linux with Squid Helpers

Enrico Heine flashdown at data-core.org
Tue Dec 11 17:53:23 UTC 2018 

Dear Mike, 

Please checkout the following and let us know if you need further help. 

http://www.squid-cache.org/Doc/config/sslproxy_cert_error/

Best regards,

Flashdown

Am 11. Dezember 2018 16:41:56 MEZ schrieb Mike Quentel <mike.quentel.rbc at gmail.com>:
>Hi, I have been unsuccessfully trying to get Squid-4.1-5 in AWS
>(Amazon 1 Linux) to allow transparent proxy of certain domains, as
>well as IPs associated with those domains, whilst rejecting everything
>else.
>
>I have been referencing documentation at
>https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
>Version of Squid: 4.1-5 for Amazon 1 Linux available at
>http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/ (many thanks to
>@elico for these packages) specifically, the following:
>
>1)
>http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-4.1-5.amzn1.x86_64.rpm
>2)
>http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-helpers-4.1-5.amzn1.x86_64.rpm
>
>Example of tests that I am running:
>
>1) curl -kv https://service.us2.sumologic.com (EXPECTED: successfully
>accessed; OBSERVED: successfully accessed)
>2) curl -kv https://54.149.155.70 (EXPECTED: successfully accessed
>because it resolves to service.us2.sumologic.com; OBSERVED:
>"Certificate does not match domainname"  [No Error] (TLS code:
>SQUID_X509_V_ERR_DOMAIN_MISMATCH))
>3) curl -kv https://www.google.com (EXPECTED: failed to access;
>OBSERVED: failed to access)
>4) curl -kv https://172.217.13.164 (EXPECTED: failed to access;
>OBSERVED: "Certificate does not match domainname"  [No Error] (TLS
>code: SQUID_X509_V_ERR_DOMAIN_MISMATCH))
>
>Below is the latest version of the squid.conf being used. Apologies
>for any obvious errors--new to Squid here. I have been grappling with
>this for weeks, with many iterations of squid.conf so any advice is
>greatly appreciated; many thanks in advance.
>
>---
>
>visible_hostname squid
>
>host_verify_strict off
>
># Handling HTTP requests
>http_port 3128
>http_port 3129 intercept
>
>sslcrtd_children 10
>
>acl CONNECT method CONNECT
>
># AWS services domain
>acl allowed_http_sites dstdomain .amazonaws.com
># docker hub registry
>acl allowed_http_sites dstdomain .docker.io
>acl allowed_http_sites dstdomain .docker.com
>acl allowed_http_sites dstdomain www.congiu.net
>
># Handling HTTPS requests
># https_port 3130 intercept ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem
>https_port 3130 intercept ssl-bump dynamic_cert_mem_cache_size=100MB
>cert=/etc/squid/squid.pem
>acl SSL_port port 443
>
># AWS services domain
>acl allowed_https_sites ssl::server_name .amazonaws.com
># docker hub registry
>acl allowed_https_sites ssl::server_name .docker.io
>acl allowed_https_sites ssl::server_name .docker.com
>
># project specific
>acl allowed_https_sites ssl::server_name www.congiu.net
>acl allowed_https_sites ssl::server_name mirrors.fedoraproject.org
>acl allowed_https_sites ssl::server_name mirror.csclub.uwaterloo.ca
>
># nslookup resolved IPs for collectors.sumologic.com
># workaround solution to support sumologic collector
>acl allowed_https_sites ssl::server_name .sumologic.com
># THE FOLLOWING TWO LINES DO NOT SEEM TO WORK AS EXPECTED
># acl allowed_https_sites ssl::server_name --server-provided
>service.sumologic.com sslflags=DONT_VERIFY_PEER
># acl allowed_https_sites ssl::server_name --server-provided
>service.us2.sumologic.com sslflags=DONT_VERIFY_PEER
>
>acl step1 at_step SslBump1
>acl step2 at_step SslBump2
>acl step3 at_step SslBump3
>
>ssl_bump peek step1 all
>ssl_bump peek step2 allowed_https_sites
>#
>http://lists.squid-cache.org/pipermail/squid-users/2018-September/019150.html
>ssl_bump bump
>ssl_bump splice step3 allowed_https_sites
>ssl_bump bump
>ssl_bump terminate step2 all
>
>http_access allow CONNECT
>
># http_access allow SSL_port
>
>http_access deny CONNECT !allowed_https_sites
>http_access deny CONNECT !allowed_http_sites
>http_access allow allowed_https_sites
>http_access allow allowed_http_sites
>http_access deny all
>
>cache deny all
>
>debug_options "ALL,9"
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181211/f46270b6/attachment.html>

More information about the squid-users mailing list