[squid-users] no ssl intercept - question how it works

Wed Aug 11 16:06:00 UTC 2021

Great thanks Amos as always

So shall I leave this ssl bump lines in

ssl_bump splice NoSSLIntercept
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all

And delete this one

acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

As your right there both the same, I didn't spot that

My understanding is the "no ssl intercept", squid doesn't even bother to
inspect the packets ie man in the middle and just literally passes it
straight to the client

Is that right?

Thanks,
Rob

On Wed, 11 Aug 2021, 06:48 Amos Jeffries, <squid3 at treenet.co.nz> wrote:

> On 11/08/21 4:56 am, robert k Wild wrote:
> > hi all,
> >
> > before i continue, so sorry for the stupid question but trying to learn
> >
> > basically heres my squid.conf
> >
> > #NO SSL Interception
> > acl DiscoverSNIHost at_step SslBump1
> > acl NoSSLIntercept ssl::server_name
> > "/usr/local/squid/etc/nointerceptssl.txt"
> > ssl_bump splice NoSSLIntercept
> > ssl_bump peek DiscoverSNIHost
> > ssl_bump bump all
> >
> > #SSL Bump
> > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> > /var/lib/ssl_db -M 4MB
>
> Note:
>
>   You already have ssl_bump rules above which either splice or bump at
> step 1. These following ssl_bump rule either never get reached, or are
> already known impossible to perform if they do get reached.
>
>
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> > #
> > #allow special URL paths
> > acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
> >
> > #deny MIME types
> > acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> >
> > http_reply_access allow special_url
> > http_reply_access deny mimetype
> > #
> > #HTTP_HTTPS whitelist websites
> > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
> >
> > #HTTP_HTTPS whitelist websites regex
> > acl whitelistreg ssl::server_name_regex
> > "/usr/local/squid/etc/urlregwhite.txt"
> >
> > http_access allow activation whitelist
> > http_access allow activation whitelistreg
> > http_access deny all
> >
> > in my urlwhitelist is this
> >
> ...
> > in my nointerceptssl is this
> >
> ...
>
> >
> > i got all the urls etc looking at tail -f access.log and greping the ip
> > and tcp denied
> >
> > but when i try to load the apple app store the whitelist isnt enough, i
> > need to add a couple of urls to the nointerceptssl
> >
> > i got that list by doing the same method ie looking at tail -f
> > access.log and greping the ip but as ive already whitelisted the urls
> > they all came back as none or ok instead of saying tcp denied
> >
> > my question is why do i need to add some urls to the nointerceptssl and
> > why isnt it enough just to add it to urlwhite list
> >
>
> Because you are using those ACLs exclusively for very different things.
>
>   - "whitelist" is being exclusively used to check URI domains found in
> HTTP messages (http_access). Where "server name" is the CONNECT tunnel
> authority name or IPs reverse-DNS name, or decrypted https:// URL
> domain. It has nothing to do with the TLS handshake activity.
>
>   - "NoSSLIntercept" is being exclusively used for TLS handshake
> decisions (ssl_bump). Where "server name" is the CONNECT tunnel
> authority name or raw-IP, TLS SNI, or server certificate altSubjectName.
>
>
> You could use whitelist ACL in ssl_bump checks instead of
> NoSSLIntercept. At which point the ACL is now being used for both sets
> of checks and decisions.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210811/a859d628/attachment.htm>