[squid-users] Sslbump Not working for transparent proxy
Amos Jeffries
squid3 at treenet.co.nz
Sat Mar 2 03:16:38 UTC 2019
On 2/03/19 8:54 am, Joseph Jones wrote:
> I've been trying to get SslBump work for whitelist purposes and so far
> have been failing.
>
> It's my understanding in order for SslBump to do whitelist it will
> need to do a splice at step2 or step3.
Not quite. For intercepted traffic you do need a peek at step1 to get
the TLS SNI details. Before that Squid only has raw-IP.
But your problem is earlier than even step1. Before bumping starts Squid
synthesizes a CONNECT message to check if the client is allowed to even
make requests of the proxy. This uses the TCP SYN packet src-IP as
message URI.
Your http_access permissions being *only* these:
http_access allow localnet http_whitelist
http_access deny all
... the raw-IP URI will not match true for the whitelist check. Leaving
the deny to reject the client.
Then we get to the SSL-Bump. Since the decision has already been made to
reject this client all Squid does is the peek and client-first bump
actions. These happen in order to deliver that denial page in a form
that Browsers will most likely display (no guarantee though).
What you need to avoid this too-early denial is allow CONNECT which
happen on the interception port. Add these lines above yoru deny all:
acl port3129 myportname 3129
http_access allow CONNECT port3129
PS. I also advise to leave the Safe_ports and SSL_Ports checks from the
default config as they were. They have no effect on any of the SSL-Bump
activity and protect your proxy against several types of DoS and other
nasty attacks.
Amos
More information about the squid-users
mailing list