<div dir="ltr">Many thanks, ASAP i will try.<br><div><br></div><div>V</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-03-21 20:01 GMT+01:00 Jason Haar <span dir="ltr"><<a href="mailto:jason_haar@trimble.com" target="_blank">jason_haar@trimble.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It's really not much more than what I first posted (I can't send my config - it's pretty specific to our site - you'll have to figure out the standard stuff yourself)<div><br></div><div>So this will make a squid-3.5 server capable of doing "transparent HTTPS" without any fiddling with the transactions. Of course it assumes you already know how to redirect port 443 traffic onto your proxy, and know how to reconfigure the OS to support that too (ie same as transparent HTTP on port 80)<br><div><br></div><div><span class=""><div>acl BlacklistedHTTPSsites dstdomain "/etc/squid/acl-BlacklistedHTTPSsites.txt"</div><div>http_access deny BlacklistedHTTPSsites</div></span><div>https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL</div><span class=""><div>sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB</div><div>sslcrtd_children 32 startup=15 idle=5</div><div>acl SSL_https port 443</div><div>ssl_bump splice SSL_https</div></span></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <span dir="ltr"><<a href="mailto:vitoantonio.smaldino@istruzione.it" target="_blank">vitoantonio.smaldino@istruzione.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi all,<div>great, i'm just searching for this. Jason can you kindly post the whole squid.conf?</div><div>Thanks</div><div>V</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>2016-03-20 22:29 GMT+01:00 Jason Haar <span dir="ltr"><<a href="mailto:jason_haar@trimble.com" target="_blank">jason_haar@trimble.com</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hi there<div><br></div><div>I'm wanting to use tls intercept to just log (well OK, and potentially block) HTTPS sites based on hostnames (from SNI), but have had problems even in peek-and-splice mode. So I'm willing to compromise and instead just intercept that traffic, log it, block on IP addresses if need be, and don't use ssl-bump beyond that.</div><div><br></div><div>So far the following seems to work perfectly, can someone confirm this is "supported" - ie that I'm not relying on some bug that might get fixed later? ;-)</div><div><br></div><div><div>sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB</div><div>sslcrtd_children 32 startup=15 idle=5</div><div>acl SSL_https port 443</div><div>ssl_bump splice SSL_https</div><div>acl BlacklistedHTTPSsites dstdomain "/etc/squid/acl-BlacklistedHTTPSsites.txt"</div><div>http_access deny BlacklistedHTTPSsites</div><div><br></div><div>The "bug" comment comes down to how acl seems to work. I half-expected the above not to work - but it does. It would appear squid will treat an intercept's dst IP as the "dns name" as that's all it's got - so "dstdomain" works fine for both CONNECT and intercept IFF the acl contains IP addresses</div><div><br></div><div>I was hoping I wouldn't need ssl-bump at all, but you need squid to be running a https_port, and for it to support "intercept", and to do that squid insists on "ssl-bump" too - although that seems likely was a programmer assumption that didn't include people like me doing mad things like this? :-). I'd also guess I don't need 32 children/etc - 1 would suffice as it's never used?</div><div><br></div><div>So the end result is that all CONNECT and/or intercept SSL/TLS traffic is supported via the proxy, with all TLS security decisions residing on the client. I get my logs, and if I want to block some known bad IP address, I can: CONNECT causes a 403 HTTP error page and intercept basically ditches the tcp/443 connection - which is as good as it gets without getting into the wonderful world of real "bump"</div><span><font color="#888888"><div><br></div>-- <br><div><div dir="ltr"><div>Cheers</div><div><br></div><div>Jason Haar</div><div>Information Security Manager, Trimble Navigation Ltd.</div><div>Phone: <a href="tel:%2B1%20408%20481%208171" value="+14084818171" target="_blank">+1 408 481 8171</a></div><div>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1</div></div></div>
</font></span></div></div>
<br></div></div><span>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
</span><a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users<span><font color="#888888"><br clear="all"><div><br></div>-- <br><div>Vito A. Smaldino<br></div>
<br></font></span></a></blockquote></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div>Cheers</div><div><br></div><div>Jason Haar</div><div>Information Security Manager, Trimble Navigation Ltd.</div><div>Phone: <a href="tel:%2B1%20408%20481%208171" value="+14084818171" target="_blank">+1 408 481 8171</a></div><div>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1</div></div></div>
</div>
</div></div><br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users<br clear="all"><div><br></div>-- <br><div class="gmail_signature">Vito A. Smaldino<br></div>
<br></a></blockquote></div>
</div>