[squid-users] SSL-BUMP 5.0.4 not working as expected

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Sun Jan 3 10:49:51 UTC 2021 

Hey Amos,

I forgot about the "".
I am attaching /etc/squid/ and inside a txt log dump from cache.log of the minute which 2 or more transactions happening.

I think I'm doing something wrong in the config but not 100% sure.

Link to config and output:
https://1drv.ms/u/s!AoiLG1Jyh7JqqEmrmgzPM5dRFUvK?e=adVJOe

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Sunday, January 3, 2021 9:12 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 3/01/21 9:08 am, ngtech1ltd wrote:
> I am trying to configure 5.0.4 with sslbump to bump only a set of domains.
> 
> I am unsure about the right way it should be done.
> 
> The basic constrains are POLICY vs a set of rules.
> 
>   * Should I bump all connections with exceptions?
>   * Should I bump non else then the exceptions?
>   * Based on server_name regex and/or server_name domains
>

In regards to policy:

Security best-practice is to reject as early as possible. So for 
transactions that early bump steps are indicating going to forbidden 
places should reject immediately on that detection.

For transactions which appear to be not-bad, there is no "best" way. 
That depends on your specific setup needs and the side-effects of making 
a wrong deision.

I prefer to advise bump'ing at step 3 where the most information is 
available for checks and correction of client claims.


...
> I have tried the next set of rules:
> 
> ## START
> 
> acl step1 at_step SslBump1
> 
> acl step2 at_step SslBump2
> 
> acl step3 at_step SslBump3
> 
> acl NoBump_server_regex ssl::server_name_regex -i 
> /etc/squid/server-regex.nobump
> 
> acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump
> 
> acl NoBump_ALL_regex ssl::server_name_regex -i 
> /etc/squid/all_server-regex.nobump
> 
> acl MustBump_server_regex ssl::server_name_regex -i 
> /etc/squid/must_server-regex.bump
> 
> acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump
> 
> ssl_bump peek step1
> 
> ssl_bump splice NoBump_server_regex
> 
> ssl_bump splice NoBump_server_name
> 
> ssl_bump bump MustBump_server_regex
> 
> ssl_bump bump MustBump_server_name
> 
> ssl_bump splice NoBump_ALL_regex
> 
> ssl_bump bump all
> 
> ##END
> 
> But the BoBump are not applied.
> 
> I tried to understand why squid is bumping despite the explicit splice 
> action.

Note that all these splice/bump rules are being applied at step2. There 
is no step3 taking place.


Does your actual config have the required "" marks around those filenames?

Without that all your ACLs will non-match (SNI vs name of the file) and 
the last "bump all" will be applied below.


Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list