[squid-users] disable https inspection for licensing some apps

robert k Wild robertkwild at gmail.com
Thu May 19 12:47:11 UTC 2022 

I worked it out, my "no Https interception" was working on websites if I
put the URL in that txt file

nointercept.txt

But I needed to make a proxy.ini file as well on the host in question, for
it to point to the proxy

Once it pointed to the proxy I could then monitor the traffic and see what
URL I needed to whitelist and to put in the no SSL interception

Once I did that all good

Thanks guys, much appreciated
On Wed, 18 May 2022, 20:21 Eliezer Croitoru, <ngtech1ltd at gmail.com> wrote:

>  Hey Alex,
>
> I have started working on some external_acl helper that will probe the
> server certificate like what ufdbguard does but will be written
> probably in another language then C++ ... ie scripting or GoLang or Rust.
> The idea is that there will be some cache or DB that will store information
> about an IP+port paired with SNI.
> A storage engine like a cache would help to "know" enough about the server
> to ultimately decide if there is a risk in splicing this specific
> connection.
> It's also possible that the first time that the request will pass via thru
> the proxy it will be bumped to probe the connection for more information
> when possible.
>
> In general for commercial products there is either a CDN service or a
> dedicated service.
> These usually are not the risk for the proxy users and can be spliced.
> The main issue is if one service on a specific IP serves  more then one
> domain that contains different content.
> The best example is google CDN network that might serve on the same IP and
> certificate and SNI(because of HTTP/2.0) different domains.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd at gmail.com
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
> Alex Rousskov
> Sent: Wednesday, May 18, 2022 21:39
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] disable https inspection for licensing some apps
>
> On 5/18/22 12:28, robert k Wild wrote:
>
> > acl DiscoverSNIHost at_step SslBump1
> > acl NoSSLIntercept ssl::server_name
> "/usr/local/squid/etc/nointercept.txt"
> > ssl_bump peek DiscoverSNIHost
> > ssl_bump splice NoSSLIntercept
> > ssl_bump bump all
>
> OK, the above configuration makes the splice/bump decision based on
> plain text information provided by the TLS client.
>
>
> > and in the nointercept.txt
> > i have the url in there
>
> ssl::server_name needs a host/domain name, not a regular URL. No URLs
> are exchanged in plain text between TLS client and the origin server.
>
> Please note that, even after adjusting nointercept.txt to contain domain
> name(s), the above configuration may not always work in modern Squids:
> It will work when the client sends a matching domain name
>
> * in the CONNECT request headers (and sends no TLS SNI at all)
> * in the CONNECT request headers and in TLS SNI
> * in TLS SNI (the CONNECT request headers should not matter).
>
> It will also work when a CONNECT request is using an IP address that
> reverse-resolves to a matching domain name (which is not overwritten by
> a mismatching SNI).
>
> In all other cases, Squid will bump traffic even if it is ultimately
> going to the server named in nointercept.txt.
>
> There is no configuration that will address all possible cases in
> general. TLS makes that impossible (at least not without probing TLS
> origin servers which is something Squid does not do yet).
>
>
> HTH,
>
> Alex.
>
>
> >, also i have it in the url white list so it can actually see the url
> >
> > is there something else i need to add for this to work
> >
> > or maybe some websites ie license website just dont like it going through
> a proxy
> >
> >
> > On Wed, 18 May 2022 at 16:57, robert k Wild <robertkwild at gmail.com
> > <mailto:robertkwild at gmail.com>> wrote:
> >
> >     hi all,
> >
> >     i have squid proxy configured as ssl bump and i white list some
> >     websites only
> >
> >     but for some websites i dont want to inspect https traffic as it
> >     breaks the cert when i want to license some apps via the url
> >     (whitelist url)
> >
> >     how can i disable https inspection for some websites please
> >
> >     many thanks,
> >     rob
> >
> >     --
> >     Regards,
> >
> >     Robert K Wild.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220519/725618f8/attachment.htm>

More information about the squid-users mailing list