<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
On Thu, 2015-10-01 at 13:26 +0200, Job wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Hello,
by reading the 3.5 Squid verson "Peek and splice" features:
<A HREF="http://wiki.squid-cache.org/Features/SslPeekAndSplice">http://wiki.squid-cache.org/Features/SslPeekAndSplice</A>
i would like to ask you two questions, please:
1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump?
2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document
Thank you for your patience and many thanks!
Francesco
_______________________________________________
squid-users mailing list
<A HREF="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A>
<A HREF="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</A>
</PRE>
</BLOCKQUOTE>
<BR>
I've found that with peek/splice, instead of stare/bump, I did not need to install the certificate on the end device (daughter got a new phone and I forgot to install it...still worked anyway...cool).<BR>
<BR>
Config below for exactly what you're wanting...change netblocks to what you're using and change cert locations and what not. Before just doing a copy/paste and go, I would recommend reading the docs to get a better understanding of what the below directives mean. The file http_url.txt is regex so it will have entries like \.apple\.com.<BR>
<BR>
<TT>acl localnet src 192.168.1.0/24</TT><BR>
<TT>acl SSL_ports port 443</TT><BR>
<TT>acl Safe_ports port 80</TT><BR>
<TT>acl Safe_ports port 443</TT><BR>
<TT>acl CONNECT method CONNECT</TT><BR>
<TT>acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"</TT><BR>
<BR>
<TT>http_access deny !Safe_ports</TT><BR>
<TT>http_access deny CONNECT !SSL_Ports</TT><BR>
<TT>http_access allow SSL_ports</TT><BR>
<TT>http_access allow allowed_http_sites</TT><BR>
<TT>http_access deny all</TT><BR>
<BR>
<TT>acl step1 at_step SslBump1</TT><BR>
<TT>acl step2 at_step SslBump2</TT><BR>
<TT>acl step3 at_step SslBump3</TT><BR>
<BR>
<TT>ssl_bump peek all</TT><BR>
<TT>acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"</TT><BR>
<TT>ssl_bump splice allowed_https_sites</TT><BR>
<TT>ssl_bump terminate all</TT><BR>
<BR>
<TT>sslproxy_capath /etc/ssl/certs</TT><BR>
<BR>
<TT>sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB</TT><BR>
<TT>sslcrtd_children 5</TT><BR>
<BR>
<TT>http_port 3128 intercept</TT><BR>
<TT>https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE</TT><BR>
<BR>
<TT>logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh</TT><BR>
<BR>
<TT>access_log syslog:daemon.info mine</TT><BR>
<BR>
<TT>refresh_pattern -i (cgi-bin|\?) 0 0% 0</TT><BR>
<TT>refresh_pattern . 0 20% 4320</TT><BR>
<BR>
<TT>coredump_dir /opt/var</TT><BR>
<BR>
James
</BODY>
</HTML>