<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
No problem. ;)<br>
<br>
31.12.2014 2:30, Rafael Akchurin пишет:<br>
<span style="white-space: pre;">><br>
> Perfect thanks a lot!!!<br>
><br>
> Raf :)<br>
><br>
> <br>
><br>
> *From:*Yuri Voinov [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>]<br>
> *Sent:* Tuesday, December 30, 2014 9:23 PM<br>
> *To:* Rafael Akchurin; <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect<br>
><br>
> <br>
><br>
><br>
> WCCP only, of course. To reduce Cisco CPU usage.<br>
><br>
> Also, iOS version 15.4 with SECURITYK9 techno pack activated.<br>
><br>
> 31.12.2014 2:21, Rafael Akchurin пишет:<br>
><br>
><br>
> > Just for me to completely clarify:<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > - how exactly your Squid gets the traffic from
your clients?<br>
><br>
> (explicit proxy or cisco WCCP?)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > raf<br>
><br>
><br>
><br>
> > *From:*Yuri Voinov [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>]<br>
><br>
> > *Sent:* Tuesday, December 30, 2014 9:16 PM<br>
><br>
> > *To:* Rafael Akchurin;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> > *Subject:* Re: [squid-users] Squid 3 SSL bump:
Google drive<br>
><br>
> application could not connect<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > To finalize a solution,<br>
><br>
><br>
><br>
> > see the our favorite:<br>
><br>
><br>
><br>
><br>
><br>
>
<a class="moz-txt-link-freetext" href="http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html">http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html</a><br>
><br>
><br>
><br>
> > Why use iptables, ipfilter,Cisco, etc?!<br>
><br>
><br>
><br>
> > Only Squid, only hardcore!<br>
><br>
><br>
><br>
> > Revert cisco config back:<br>
><br>
><br>
><br>
> > R2911(config)#no access-list 121<br>
><br>
> > R2911(config)#access-list 121 remark ACL for HTTPS
WCCP<br>
><br>
> > R2911(config)#access-list 121 remark Squid proxies
bypass<br>
><br>
> > R2911(config)#access-list 121 deny ip host
192.168.200.3<br>
><br>
> any<br>
><br>
> > R2911(config)#access-list 121 deny ip host
192.168.100.251<br>
><br>
> any<br>
><br>
> > R2911(config)#access-list 121 remark Videoserver<br>
><br>
> > R2911(config)#access-list 121 deny ip host
192.168.200.5<br>
><br>
> any<br>
><br>
> > R2911(config)#access-list 121 remark LAN clients
proxy port<br>
><br>
> 443<br>
><br>
> > R2911(config)#access-list 121 permit tcp
192.168.0.0<br>
><br>
> 0.0.255.255 any eq 443<br>
><br>
> > R2911(config)#access-list 121 remark all others
bypass WCCP<br>
><br>
> > R2911(config)#access-list 121 deny ip any any<br>
><br>
> > R2911(config)#^Z<br>
><br>
> > R2911#wr<br>
><br>
> > Building configuration...<br>
><br>
> > [OK]<br>
><br>
><br>
><br>
> > Write acl file with IP/net with SSL Pinning:<br>
><br>
><br>
><br>
> > root @ ktulhu /usr/local/squid/etc # cat
dst.nobump<br>
><br>
> > # BCC bypass<br>
><br>
> > 91.198.63.0/24<br>
><br>
> > # Salyk bypass<br>
><br>
> > 212.154.165.148/32<br>
><br>
> > # WU bypass<br>
><br>
> > 191.232.0.0/13<br>
><br>
> > 65.52.0.0/14<br>
><br>
> > # Symantec bypass<br>
><br>
> > 195.215.221.99/32<br>
><br>
> > 195.215.221.104/32<br>
><br>
> > 213.248.114.172/32<br>
><br>
> > 213.248.114.173/32<br>
><br>
> > 213.248.114.174/32<br>
><br>
> > 213.248.114.175/32<br>
><br>
> > 77.67.22.168/32<br>
><br>
> > 77.67.22.171/32<br>
><br>
> > 77.67.22.173/32<br>
><br>
> > 213.248.114.171/32<br>
><br>
><br>
><br>
> > Add needful nets/apps to acl by your taste.<br>
><br>
><br>
><br>
> > Add to squid config:<br>
><br>
><br>
><br>
> > # SSL bump acl<br>
><br>
> > acl net_bump src "/usr/local/squid/etc/net.bump"<br>
><br>
> > # HTTP-use 443 port apps<br>
><br>
> > acl url_nobump dstdom_regex \.icq\.*<br>
><br>
> > # SSL Pinning servers. Only ip-based dst acl!<br>
><br>
> > acl dst_nobump dst
"/usr/local/squid/etc/dst.nobump"<br>
><br>
><br>
><br>
> > # SSL bump rules<br>
><br>
> > sslproxy_cert_error allow all<br>
><br>
> > ssl_bump none localhost<br>
><br>
> > ssl_bump none url_nobump<br>
><br>
> > ssl_bump none dst_nobump<br>
><br>
> > ssl_bump server-first net_bump<br>
><br>
><br>
><br>
> > Yahooo! The same result with Squid only!<br>
><br>
><br>
><br>
> > 30.12.2014 23:39, Rafael Akchurin пишет:<br>
><br>
> > > SSL Pinning<br>
><br>
><br>
><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUowvHAAoJENNXIZxhPexGdMwH/28FtXnzlefKyuPNgvvLBJ2B
<br>
dd/slXF1TbXhBi60S6jfXe/Vlbd9iAeTc4zP6WaR7XJEty3jXDCKQ/TISNDhXyRg
<br>
3tB/Ycg1ondWuAqPZsLTlrmttGDSkOgPOamL+kkGbbfyim6xdv/y9ZcH1QEz2Ibr
<br>
ToRRXENsbuFWgpZchrNtDrDtOpAUwBkNKLyOkdE1t1dX4g9BKq0PLq054oqx/vmG
<br>
G4ErEoUSqKWgWG2aOCk3l6GIJQwbcj13qLDKcKFRQEyCYRZ07sf5PcSk1A2J1jTt
<br>
vJzTMse05mOt/fZdhp0Sf+w5rw8kg0oMv7szyVZjXqnuiwKgOYabjwFje42NkOQ=
<br>
=TYok
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>