[squid-users] no ssl intercept - question how it works
Amos Jeffries
squid3 at treenet.co.nz
Wed Aug 11 05:44:42 UTC 2021
On 11/08/21 4:56 am, robert k Wild wrote:
> hi all,
>
> before i continue, so sorry for the stupid question but trying to learn
>
> basically heres my squid.conf
>
> #NO SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name
> "/usr/local/squid/etc/nointerceptssl.txt"
> ssl_bump splice NoSSLIntercept
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
Note:
You already have ssl_bump rules above which either splice or bump at
step 1. These following ssl_bump rule either never get reached, or are
already known impossible to perform if they do get reached.
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> #
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
>
> http_reply_access allow special_url
> http_reply_access deny mimetype
> #
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
>
> #HTTP_HTTPS whitelist websites regex
> acl whitelistreg ssl::server_name_regex
> "/usr/local/squid/etc/urlregwhite.txt"
>
> http_access allow activation whitelist
> http_access allow activation whitelistreg
> http_access deny all
>
> in my urlwhitelist is this
>
...
> in my nointerceptssl is this
>
...
>
> i got all the urls etc looking at tail -f access.log and greping the ip
> and tcp denied
>
> but when i try to load the apple app store the whitelist isnt enough, i
> need to add a couple of urls to the nointerceptssl
>
> i got that list by doing the same method ie looking at tail -f
> access.log and greping the ip but as ive already whitelisted the urls
> they all came back as none or ok instead of saying tcp denied
>
> my question is why do i need to add some urls to the nointerceptssl and
> why isnt it enough just to add it to urlwhite list
>
Because you are using those ACLs exclusively for very different things.
- "whitelist" is being exclusively used to check URI domains found in
HTTP messages (http_access). Where "server name" is the CONNECT tunnel
authority name or IPs reverse-DNS name, or decrypted https:// URL
domain. It has nothing to do with the TLS handshake activity.
- "NoSSLIntercept" is being exclusively used for TLS handshake
decisions (ssl_bump). Where "server name" is the CONNECT tunnel
authority name or raw-IP, TLS SNI, or server certificate altSubjectName.
You could use whitelist ACL in ssl_bump checks instead of
NoSSLIntercept. At which point the ACL is now being used for both sets
of checks and decisions.
Amos
More information about the squid-users
mailing list