[squid-users] Help with transparent whitelisting proxy on Squid 4.4
Jared Fox
jared.fox at practiv.com
Wed Jun 26 23:39:58 UTC 2019
Hi Amos
So i have tried the following based on your suggestions, but it is
still failing and have errors below:
1. Switched to a wildcard whitelist instead of single domain
2. Updated the logformat to provide more information, see below:
3. Add in `--client-requested`, but this made no difference.
3a. Add to single ACL, acl domainIsWhitelisted ssl::server_name
--client-requested cloudtrace.googleapis.com
3b. Commented out single record, switched to wildcard
3c. Add to wildcard
Error messages and Logs:
Access Log: 26/Jun/2019:23:18:38 96 REDACTED 216.58.200.106
NONE/200 0 CONNECT 216.58.200.106:443 HTTP/1.1 SSL:
cloudtrace.googleapis.com peek Client(Subject/Tx/Neg/Sup/Cip): -
TLS/1.0 - TLS/1.2 - Server(Subject/Rx/Neg/Sup/Cip): - TLS/1.2 -
TLS/1.2 -
Cache Log: 2019/06/26 23:18:38 kid1| ERROR: negotiating TLS on FD
11: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher
returned (1/-1/0)
Can you please explain what you mean? What should this changed to so
that it does work.
> Please be aware that in your config the ssl::server_name ACL is *not* matching the SNI in your config.
> - Your ssl_bump rules say "peek all" - so peek happens on the two Hello
> messages. When the serverHello has been peek'd the real server name is
> available from the servers own certificate.
Updated Squid.conf.
# ===========================
# Squid 4.7 Config - Work in Progress
# ===========================
acl localnet src 10.0.0.0/8 # Kubernetes VPC CIDR range
acl SSL_ports port 443 # HTTPS
acl Safe_ports port 80 # HTTP
acl Safe_ports port 443 # HTTPS
acl CONNECT method CONNECT # Traffic restriction
acl step1 at_step SslBump1 # Needed by ssl-bump
# -------------------------------
# Whitelist the following Domains
# -------------------------------
# FQDN - Try to use FQDN
acl domainIsWhitelisted ssl::server_name accounts.google.com
# ----------------------------------------------
# Wildcard
acl domainIsWhitelisted ssl::server_name --client-requested .googleapis.com
acl domainIsWhitelisted ssl::server_name --client-requested
.googleapis.l.google.com
# -------------------------------
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Passively Intercepted HTTPS Traffic
https_port 9091 cert=/etc/squid/example.com.cert
key=/etc/squid/example.com.private ssl-bump intercept
acl step1 at_step SslBump1
ssl_bump peek all
ssl_bump splice domainIsWhitelisted
ssl_bump terminate all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Logging
logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru HTTP/%rv
SSL: %ssl::>sni %ssl::bump_mode Client(Subject/Tx/Neg/Sup/Cip):
%ssl::>cert_subject %ssl::>received_hello_version
%ssl::>negotiated_version %ssl::>received_supported_version
%ssl::>negotiated_cipher Server(Subject/Rx/Neg/Sup/Cip):
%ssl::<cert_subject %ssl::<received_hello_version
%ssl::<negotiated_version %ssl::<received_supported_version
%ssl::<negotiated_cipher
access_log daemon:/var/log/squid/access_custom1.log custom1
# Listen on port 3128 for HTTP Connet method - unused and firewalled off.
http_port 3128
# End of File
Kind regards
Jared
More information about the squid-users
mailing list