<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
Already found this lonely right post ;) I have Google-Fu too :) And
it longer than you :)<br>
<br>
Anyway,<br>
<br>
all of these issues solved.<br>
<br>
I have snoop (not Windoze wireshark - all great things makes in
console, ya!) and take a look on single client traffic during
bumping.<br>
<br>
As I haven't iptables (no penguins, please!), but I have Cisco 2911,
I pass some Windows Update, Symantec Update (which is not work too)
bypassing Squid.<br>
<br>
Cisco is greatest. All others are probably suxx :)<br>
<br>
The complete solution looks like:<br>
<br>
access-list 121 remark ACL for HTTPS WCCP<br>
access-list 121 remark Squid proxies bypass<br>
access-list 121 deny ip host 192.168.200.3 any<br>
access-list 121 remark WU bypass<br>
access-list 121 deny tcp any 191.232.0.0 0.7.255.255<br>
access-list 121 deny tcp any 65.52.0.0 0.3.255.255<br>
access-list 121 remark Symantec bypass<br>
access-list 121 deny tcp any host 195.215.221.99<br>
access-list 121 deny tcp any host 195.215.221.104<br>
access-list 121 deny tcp any host 213.248.114.172<br>
access-list 121 deny tcp any host 213.248.114.173<br>
access-list 121 deny tcp any host 213.248.114.174<br>
access-list 121 deny tcp any host 213.248.114.175<br>
access-list 121 deny tcp any host 77.67.22.168<br>
access-list 121 deny tcp any host 77.67.22.171<br>
access-list 121 deny tcp any host 77.67.22.173<br>
access-list 121 deny tcp any host 213.248.114.171<br>
access-list 121 remark LAN clients proxy port 443<br>
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443<br>
access-list 121 remark all others bypass WCCP<br>
access-list 121 deny ip any any<br>
<br>
So, all others issue solves similar.<br>
<br>
Want to do something good - do it yourself!<br>
<br>
That's the way. :)<br>
<br>
30.12.2014 23:39, Rafael Akchurin пишет:<br>
<span style="white-space: pre;">><br>
> Hello Yuri,<br>
><br>
> <br>
><br>
> Luckily the same topic was just discussed on our forum –
please see if this can help
<a class="moz-txt-link-freetext" href="https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ">https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ</a><br>
><br>
> <br>
><br>
> It describes the iptables settings for successful SSL bump
exclusions for Dropbox clients / Google Drive / iTunes (bypassing
SSL Bump because of SSL Pinning).<br>
><br>
> <br>
><br>
> Best regards,<br>
><br>
> Raf<br>
><br>
> <br>
><br>
> *From:*squid-users
[<a class="moz-txt-link-freetext" href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>] *On Behalf Of
*Rafael Akchurin<br>
> *Sent:* Tuesday, December 30, 2014 4:23 PM<br>
> *To:* Yuri Voinov; <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect<br>
><br>
> <br>
><br>
> Only exclusion from SSL Bump as far as I know.<br>
><br>
> <br>
><br>
> raf<br>
><br>
> -------------------------<br>
><br>
> *From:*Yuri Voinov <<a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>><br>
> *Sent:* Tuesday, December 30, 2014 3:19 PM<br>
> *To:* Rafael Akchurin; <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect<br>
><br>
> <br>
><br>
><br>
> May be.<br>
><br>
> Does workaround exists?<br>
><br>
> 30.12.2014 20:09, Rafael Akchurin ?????:<br>
> > SSL Pinning? (I know Dropbox does this)<br>
><br>
><br>
><br>
> > my two cents only :)<br>
><br>
><br>
><br>
> > Raf<br>
><br>
><br>
><br>
> > ________________________________________<br>
><br>
> > From: squid-users
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>on behalf
of Yuri Voinov <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a><br>
><br>
> > Sent: Tuesday, December 30, 2014 2:12 PM<br>
><br>
> > To: <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> > Subject: [squid-users] Squid 3 SSL bump: Google drive
application could not connect<br>
><br>
><br>
><br>
> > Hi gents,<br>
><br>
><br>
><br>
> > I found strange issue.<br>
><br>
><br>
><br>
> > Squid 3.4.10. Intercept. HTTPS bumping. All works fine.
All configs correct.<br>
><br>
><br>
><br>
> > Whenever all web https sites works perfectly -
especially in Chrome,<br>
><br>
> > most cloud clients works like charm (SpiderOak is!),
Google Drive client<br>
><br>
> > application (PC) could not work.<br>
><br>
> > Note: Web Google Docs works. Web Google drive works.<br>
><br>
><br>
><br>
> > Note: Google support info - even I if pass dozen Google
URL's without<br>
><br>
> > bump - cannot help. It doesn't work when server-first
bumping is on and<br>
><br>
> > works othervise.<br>
><br>
><br>
><br>
> > So, the Serious Question is: Why? :)<br>
><br>
><br>
><br>
> > Any idea?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
><br>
> > squid-users mailing list<br>
><br>
> > <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> >
<a class="moz-txt-link-rfc2396E" href="http://lists.squid-cache.org/listinfo/squid-users"><http://lists.squid-cache.org/listinfo/squid-users></a><br>
><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUowFgAAoJENNXIZxhPexGHxkIAM2mb+OjhevZWpgdwiKHP2E0
<br>
D+8UM6/c7OZcJ2uSjIWN7DG0h+b86/ATul+9S+mZHl1DLBYpGUKW9J5I3iIQb+sr
<br>
5xR2ReFkuFeSpZASXex2yq5lfmACPdiUzI9iVhe7DPJqKJNiIzvHLq4ZRnjJN4Ih
<br>
0u0NGuPKfkkWFJ/SmXAceEdS7sT/lT0cVm1JgpurVzipelBUNbLQUd0yKrpbIz2x
<br>
ia7gwu3ZFi2aY2DvrfP7ntkoZpLl+SyDI/PkFIEaAr2+KaMcTbUXVQcVTZ7S6eLu
<br>
pgCNil0x8AFApWSIg+P68DcFcIS/nUIvNqXjuvr0ikqGwLEAqvueM6LPKifsdSg=
<br>
=J+Cs
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>