<div dir="ltr">Thanks again Yuri.<div><br></div><div>I have tried blocking udp protocol on port 80 and 443 but without luck.</div><div><br></div><div>Is it possible to make google sites work in transparent mode without bumping ? only splicing ?</div><div><br></div><div>Thanks</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-03 10:11 GMT-03:00 Alejandro Martinez <span dir="ltr"><<a href="mailto:ajm.martinez@gmail.com" target="_blank">ajm.martinez@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Sorry my corrector. <br>
I want to say that i am going to check blocking quic proto. </p>
<p dir="ltr">Sorry <br>
</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">El 03/01/2016 10:10, "Alejandro Martinez" <<a href="mailto:ajm.martinez@gmail.com" target="_blank">ajm.martinez@gmail.com</a>> escribió:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Yuri</p>
<p dir="ltr">Thanks.</p>
<p dir="ltr">I amor.gringaus to checkpoint blocking quic. </p>
<p dir="ltr">I cant put ca cert into clients besarse I dont have access but I do not want to bump, Just allow almost everything and deny only a few sites. </p>
<p dir="ltr">I Will tell you my result. <br>
</p>
<div class="gmail_quote">El 03/01/2016 06:22, "Yuri Voinov" <<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>> escribió:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Sure,<br>
<br>
my config is quite different.<br>
<br>
Also - did you put cache CA cert into clients? And - did you block
QUIC in your infrastructure? As described here:<br>
<br>
<a href="http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol" target="_blank">http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol</a><br>
?<br>
<br>
<div>03.01.16 8:28, Alejandro Martinez
пишет:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Yuri </p>
<p dir="ltr">Do you haber something diferent in your config? </p>
<p dir="ltr">Thanks <br>
</p>
<div class="gmail_quote">El 02/01/2016 17:18, "Yuri Voinov" <<a href="mailto:yvoinov@gmail.com" target="_blank"></a><a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>>
escribió:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
Don't think so.<br>
<br>
Google's HTTPS's works for me without any alerts in Chrome
:) With bump! ;)<br>
<br>
03.01.16 2:12, Nir Krakowski пишет:<br>
<span style="white-space:pre-wrap">> Its called certificate pinning:
> <a href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning" target="_blank">https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning</a>
>
> Nir.
>
> On Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez
<a href="mailto:ajm.martinez@gmail.com" target="_blank"><ajm.martinez@gmail.com></a>
> wrote:
>
>> Hi all,
>>
>> I'm using squid 3.5.12.
>>
>> This is my relevant config:
>>
>> *http_port 881*
>> *http_port 880 intercept*
>> *https_port 843 intercept ssl-bump
generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/etc/cert.pem key=*
>> */usr/local/squid/etc**/cert.pem
options=NO_SSLv3:NO_SSLv2
>>
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*
>> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s *
>> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children
8 startup=1
>> idle=1*
>>
>> *#### Denied Users*
>> *acl equipos_denegados src
"**/usr/local/squid/etc**/equipos_denegados"*
>> *http_access deny equipos_denegados*
>> *deny_info DENY equipos_denegados*
>>
>> *#### Allowed users*
>> *acl equipos_permitidos src
"/**usr/local/squid/etc**/equipos_permitidos"*
>> *http_access allow equipos_permitidos*
>> *####*
>>
>> *#### Denied Sites*
>> *acl sitios_denegados dstdomain "**/usr/local/squid/etc*
>> */sitiosdenegados"*
>> *http_access deny sitios_denegados*
>> *####*
>>
>> *#### Block HTTPS*
>> *acl blockhttps ssl::server_name
"/**usr/local/squid/etc*
>> */sitiosdenegados"*
>> *ssl_bump terminate blockhttps*
>> *ssl_bump splice equipos_permitidos*
>> *ssl_bump peek all*
>> *ssl_bump splice all*
>> *####*
>>
>> *sslproxy_cert_error allow all*
>> *sslproxy_flags DONT_VERIFY_PEER*
>> *sslproxy_options NO_SSLv3:NO_SSLv2*
>>
>>
>> Basically I'm using squid to allow everything and deniy
some users (hosts)
>> and some sites (http and https).
>>
>> If I use IE or Firefox (Win/Lin), everything works great,
if I access a
>> site via HTTP the user see a message and if he access via
HTTPS the
>> conecction is terminated and there is an error on the
browser.
>>
>> But, If I access any google site using chrome (windows /
linux) the sites
>> are getting bumped (<a href="http://google.com" target="_blank">google.com</a>, google.com.X <a href="http://youtube.com" target="_blank">youtube.com</a>,
etc)
>>
>> The browser complains with a "Your conecction is not
private" and the
>> certificate is my own certificate.
>>
>> I'm missing something ?
>>
>> I only what to splice everythng.
>>
>> Thanks
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>
>> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>
>>
>>
>
>
>
> _______________________________________________
> squid-users mailing list
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD
<br>
4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF
<br>
Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x
<br>
VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1
<br>
PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH
<br>
ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0=
<br>
=aiMO
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</div>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>
</blockquote></div>
</div></div></blockquote></div><br></div>