[squid-users] HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 25 15:10:30 UTC 2019


On 25/01/19 9:15 pm, Александр Александрович Березин wrote:
> Please HELP!
>  
> Hello dear members of the community
> excuse me for disturbing me, but I could not find an answer to the
> question, so I speak to you, sorry again
>  
> i have
>  
...
> 
> in /etc/squid.conf
> 
> .......
> 
> acl test dstdomain partner.steam-api.com
>  
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>  
> ssl_bump peek step1 all

NP: That 'all' has no purpose here.

> ssl_bump splice test

The ssl_bump rules when checked for intercepted traffic are run *before*
anything gets decrypted. Thus there is no HTTP(S) request to get a URL
from, so no URL domain (dstdomain).

Use ssl::server_name ACL type instead. It can match TLS SNI domain (if
any) retrieved by the step1 peek action.


> ssl_bump bump
>  
>  
> http_port 192.168.50.1:3128 intercept
> https_port 192.168.50.1:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/ssl_cert/squidCA.pem
>  
>  
>  
> when I am trying to access the site from a browser from a local network
> partner.steam-api.com
>  
> access.log
>  
> [Fri Jan 25 06:50:10 2019].514      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -

Traffic arriving is immediately being denied access into the proxy. The
other log entries and errors are resulting from that fact.

>  
> but the address at the end partner.steam-api.com  can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?

Two mistakes. First is the dstdomain vs ssl::server_name ACL types
mentioned above.

Second mistake is http_access rules deny'ing CONNECT messages generated
by Squid to represent the TCP SYN packet for SSL-Bump step1. At that
point all Squid has access to is the raw-IP:port details. SNI where the
server name is received requires the initial CONNECT to be allowed into
the proxy before the TLS inspection can begin.


Amos


More information about the squid-users mailing list