[squid-users] disable https inspection for licensing some apps
Eliezer Croitoru
ngtech1ltd at gmail.com
Wed May 18 19:19:40 UTC 2022
Hey Alex,
I have started working on some external_acl helper that will probe the
server certificate like what ufdbguard does but will be written
probably in another language then C++ ... ie scripting or GoLang or Rust.
The idea is that there will be some cache or DB that will store information
about an IP+port paired with SNI.
A storage engine like a cache would help to "know" enough about the server
to ultimately decide if there is a risk in splicing this specific
connection.
It's also possible that the first time that the request will pass via thru
the proxy it will be bumped to probe the connection for more information
when possible.
In general for commercial products there is either a CDN service or a
dedicated service.
These usually are not the risk for the proxy users and can be spliced.
The main issue is if one service on a specific IP serves more then one
domain that contains different content.
The best example is google CDN network that might serve on the same IP and
certificate and SNI(because of HTTP/2.0) different domains.
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
Alex Rousskov
Sent: Wednesday, May 18, 2022 21:39
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] disable https inspection for licensing some apps
On 5/18/22 12:28, robert k Wild wrote:
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointercept.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
OK, the above configuration makes the splice/bump decision based on
plain text information provided by the TLS client.
> and in the nointercept.txt
> i have the url in there
ssl::server_name needs a host/domain name, not a regular URL. No URLs
are exchanged in plain text between TLS client and the origin server.
Please note that, even after adjusting nointercept.txt to contain domain
name(s), the above configuration may not always work in modern Squids:
It will work when the client sends a matching domain name
* in the CONNECT request headers (and sends no TLS SNI at all)
* in the CONNECT request headers and in TLS SNI
* in TLS SNI (the CONNECT request headers should not matter).
It will also work when a CONNECT request is using an IP address that
reverse-resolves to a matching domain name (which is not overwritten by
a mismatching SNI).
In all other cases, Squid will bump traffic even if it is ultimately
going to the server named in nointercept.txt.
There is no configuration that will address all possible cases in
general. TLS makes that impossible (at least not without probing TLS
origin servers which is something Squid does not do yet).
HTH,
Alex.
>, also i have it in the url white list so it can actually see the url
>
> is there something else i need to add for this to work
>
> or maybe some websites ie license website just dont like it going through
a proxy
>
>
> On Wed, 18 May 2022 at 16:57, robert k Wild <robertkwild at gmail.com
> <mailto:robertkwild at gmail.com>> wrote:
>
> hi all,
>
> i have squid proxy configured as ssl bump and i white list some
> websites only
>
> but for some websites i dont want to inspect https traffic as it
> breaks the cert when i want to license some apps via the url
> (whitelist url)
>
> how can i disable https inspection for some websites please
>
> many thanks,
> rob
>
> --
> Regards,
>
> Robert K Wild.
>
>
>
> --
> Regards,
>
> Robert K Wild.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list