<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
Not sure. I'm only bump Google for caching static content (and some
dynamic). In my setup I have much google-related traffic.<br>
<br>
04.01.16 6:16, Alejandro Martinez пишет:<br>
<span style="white-space: pre;">> Thanks again Yuri.<br>
><br>
> I have tried blocking udp protocol on port 80 and 443 but
without luck.<br>
><br>
> Is it possible to make google sites work in transparent mode
without<br>
> bumping ? only splicing ?<br>
><br>
> Thanks<br>
><br>
><br>
> 2016-01-03 10:11 GMT-03:00 Alejandro Martinez
<a class="moz-txt-link-rfc2396E" href="mailto:ajm.martinez@gmail.com"><ajm.martinez@gmail.com></a>:<br>
><br>
>> Sorry my corrector.<br>
>> I want to say that i am going to check blocking quic
proto.<br>
>><br>
>> Sorry<br>
>> El 03/01/2016 10:10, "Alejandro Martinez"
<a class="moz-txt-link-rfc2396E" href="mailto:ajm.martinez@gmail.com"><ajm.martinez@gmail.com></a><br>
>> escribió:<br>
>><br>
>>> Yuri<br>
>>><br>
>>> Thanks.<br>
>>><br>
>>> I amor.gringaus to checkpoint blocking quic.<br>
>>><br>
>>> I cant put ca cert into clients besarse I dont have
access but I do not<br>
>>> want to bump, Just allow almost everything and deny
only a few sites.<br>
>>><br>
>>> I Will tell you my result.<br>
>>> El 03/01/2016 06:22, "Yuri Voinov"
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a> escribió:<br>
>>><br>
>>>> Sure,<br>
>>>><br>
>>>> my config is quite different.<br>
>>>><br>
>>>> Also - did you put cache CA cert into clients?
And - did you block QUIC<br>
>>>> in your infrastructure? As described here:<br>
>>>><br>
>>>>
<a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol">http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol</a><br>
>>>> ?<br>
>>>><br>
>>>> 03.01.16 8:28, Alejandro Martinez пишет:<br>
>>>><br>
>>>> Yuri<br>
>>>><br>
>>>> Do you haber something diferent in your config?<br>
>>>><br>
>>>> Thanks<br>
>>>> El 02/01/2016 17:18, "Yuri Voinov" <
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a><br>
>>>> <a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>> escribió:<br>
>>>><br>
>>>>><br>
> Don't think so.<br>
><br>
> Google's HTTPS's works for me without any alerts in Chrome :)
With<br>
> bump! ;)<br>
><br>
> 03.01.16 2:12, Nir Krakowski пишет:<br>
> >>>>>> Its called certificate pinning: ><br>
> <a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning">https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning</a> >
> Nir. > > On<br>
> Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez<br>
> <a class="moz-txt-link-rfc2396E" href="mailto:ajm.martinez@gmail.com"><ajm.martinez@gmail.com></a> <a class="moz-txt-link-rfc2396E" href="mailto:ajm.martinez@gmail.com"><ajm.martinez@gmail.com></a>
> wrote: > >> Hi<br>
> all, >> >> I'm using squid 3.5.12. >>
>> This is my relevant config: >> >><br>
> *http_port 881* >> *http_port 880 intercept* >>
*https_port 843 intercept<br>
> ssl-bump generate-host-certificates=on >>
dynamic_cert_mem_cache_size=4MB<br>
> cert=/usr/local/squid/etc/cert.pem key=* >><br>
> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2
>><br>
>
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH*<br>
> >>>>>>> *sslcrtd_program
/usr/local/squid/libexec/ssl_crtd -s * >><br>
> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8
startup=1 >><br>
> idle=1* >> >> *#### Denied Users* >> *acl
equipos_denegados src<br>
> "**/usr/local/squid/etc**/equipos_denegados"* >>
*http_access deny<br>
> equipos_denegados* >> *deny_info DENY
equipos_denegados* >> >> *####<br>
> Allowed users* >> *acl equipos_permitidos src<br>
> "/**usr/local/squid/etc**/equipos_permitidos"* >>
*http_access allow<br>
> equipos_permitidos* >> *####* >> >> *####
Denied Sites* >> *acl<br>
> sitios_denegados dstdomain "**/usr/local/squid/etc* >>
*/sitiosdenegados"*<br>
> >>>>>>> *http_access deny
sitios_denegados* >> *####* >> >> *#### Block
HTTPS*<br>
> >>>>>>> *acl blockhttps
ssl::server_name "/**usr/local/squid/etc* >><br>
> */sitiosdenegados"* >> *ssl_bump terminate blockhttps*
>> *ssl_bump splice<br>
> equipos_permitidos* >> *ssl_bump peek all* >>
*ssl_bump splice all* >><br>
> *####* >> >> *sslproxy_cert_error allow all*
>> *sslproxy_flags<br>
> DONT_VERIFY_PEER* >> *sslproxy_options
NO_SSLv3:NO_SSLv2* >> >> >><br>
> Basically I'm using squid to allow everything and deniy some
users (hosts)<br>
> >>>>>>> and some sites (http and https).
>> >> If I use IE or Firefox (Win/Lin),<br>
> everything works great, if I access a >> site via HTTP
the user see a<br>
> message and if he access via HTTPS the >> conecction is
terminated and<br>
> there is an error on the browser. >> >> But, If I
access any google site<br>
> using chrome (windows / linux) the sites >> are getting
bumped (<br>
> google.com, google.com.X youtube.com, etc) >> >>
The browser complains<br>
> with a "Your conecction is not private" and the >>
certificate is my own<br>
> certificate. >> >> I'm missing something ?
>> >> I only what to splice<br>
> everythng. >> >> Thanks >> >>
>><br>
> _______________________________________________ >>
squid-users mailing list<br>
> >>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> >><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a> >>
>> > > > ><br>
> _______________________________________________ >
squid-users mailing list<br>
> >>>>>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
>>>>><br>
>>>>><br>
>>>>>
_______________________________________________<br>
>>>>> squid-users mailing list<br>
>>>>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>>>>>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
>>>>><br>
>>>>><br>
>>>><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJWilO6AAoJENNXIZxhPexG4CQH/1LD3i6xIKQzenEOBB/1crBV
<br>
LfjDk2owqhX8QLyfCVaw56e1Km0SCIS7lTuAsBS9gDZLcu7Gnw1a1/zp8O+TWHbV
<br>
vQhbcrN71oIceuHJ3EKVB+a7lDJU1YpyRwQZErE3cjnpLzV1vVAr2LD8HUpAOvZd
<br>
HVnTQC2gf81jYxnsPNfcIt3a7qnmEec4fenTChJGEsfjEO1RznRjZtoB/VqSBxcO
<br>
WjRtVTSWiF2tLXRQ8hfwZYmBj7EMFNPFTQYbphE1Ujz+fCYPxR/ncNxcOKdEZCAX
<br>
Mu9CmmQ+q8HWg3GSBULoq4UkR28gVgRbDag3pWdKjGk8mQOtwjgW5u1c7tUzl4A=
<br>
=tvLZ
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>