<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 3, 2016 at 9:59 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On 4/04/2016 4:18 p.m., Jok Thuau wrote:<br>
> I'm attempting to build a transparent proxy (policy based routing on<br>
> firewall to squid proxy) with the following behavior:<br>
><br>
> 1) proxies http traffic for a given set of domains, provide an message<br>
> otherwise such "domain not allowed" or similar<br>
> 2) proxies https traffic for a given set of domains (ideally, splicing<br>
> those, so as not to break HSTS, if enabled), otherwise provide an error<br>
> message (bumping and providing "domain not allowed")<br>
><br>
> I'm attempting this with a 3.5.15 compiled with icap (not yet used) and<br>
> ssl-bumping.<br>
><br>
> Part 1 seems easy enough (and is well documented)...<br>
><br>
> acl whitelist dstdomain .domain1.tld<br>
> acl whitelist dstdomain .domain2.tld<br>
><br>
> acl http_ok all-of whitelist !SSL_ports<br>
><br>
> http_access allow http_ok<br>
> http_access deny all<br>
<br>
</span>This is denying the HTTPS traffic CONNECT requests (synthesized by<br>
Squid), since they only have IP address no domain name.<br></blockquote><div><br></div><div>yes, this is where I started with just http. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span><br>
<br>
><br>
> Moving onto Part 2 (the peek and splice setup) appears to be the topic of a<br>
> few discussions out there...<br>
><br>
> acl sni_whitelist ssl::server_name .domain1.tld<br>
> acl sni_whitelist ssl::server_name .domain2.tld<br>
><br>
> ssl_bump peek step1<br>
<br>
</span>You have omitted the definition of step1 ACL.<br>
<span><br></span></blockquote><div><br></div><div>the definition of "step1" is the same as the one on the wiki (See full config below)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
> ssl_bump splice sni_whitelist<br>
> ssl_bump bump all<br>
><br>
> It appears however that when combining the two, the generated<br>
> certificate(s), instead of mimic'ing the original server's certificate<br>
> comes out with the CN=<IP> where <IP> is the ip used by the "connect" part<br>
> of the connection. In addition, it appears that only the first entry ever<br>
> matches (at this point, i've tried so many combinations, i'm no longer<br>
> certain of anything).<br>
<br>
</span>You have omitted the http(s)_port configuration details, and the step1<br>
ACL. So its not possible to say if you have the cert generation settings<br>
wrong, or if the peeking step is matching wrong, or something else.<br>
<span><br></span></blockquote><div><br></div><div>That's included in the config below.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
><br>
> If i remove *all* the http_access lines, then the behavior appears correct<br>
> (from a "splicing/bumping" standpoint).<br>
><br>
<br>
</span>Strange. Squid without any http_access lines should be denying traffic 100%.<br>
<span><br></span></blockquote><div><br></div><div>I do not see this behavior. Traffic appears to be allowed, and bumped (though with the wrong certificate, depending on the config, as explained before). </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
> Can anyone confirm that this is indeed possible to achieve?<br>
><br>
> I believe, based on experimentation that any http_access i have, because of<br>
> the "deny all" cause the bumping to "short circuit" and effectively send an<br>
> early "access denied" based on the only information it has (the ip address<br>
> from the "connect", rather than the SNI that would come later).<br>
><br>
> Would a setup where "deny http+!whitelist" so have the allow be the default<br>
> allow for the bumping to work and get to step2 and match the sni* acls<br>
> somehow? (with a "deny step2 !sni_whitelist").<br>
><br>
> Is 3.5.15 capable of doing this? If this requires some feature/effort, what<br>
> would be the procedure to sponsor that work?<br>
<br>
</span>It is not possible to answer any of those questsions properly without<br>
full config details. You have omitted a lot.<br></blockquote><div><br></div><div>my apologies for trying to show only the relevant parts. Find below the current config. </div><div>It appears to be bumping everything rather than splicing any of the config (which may be due to the limitations documented on the wiki)</div><div><br></div>acl Safe_ports port 80 # http<br>acl Safe_ports port 443 # https<br>acl SSL_ports port 443<br>acl CONNECT method CONNECT<br>http_port 3129 intercept<br>https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB \<br> cert=/etc/squid/ssl/proxy.pem \<br> key=/etc/squid/ssl/proxy.key \<br> cafile=/etc/squid/ssl/proxy.pem<br>always_direct allow all<br><div>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br>acl SniBypass ssl::server_name_regex \.slashdot\.org <br>acl SniBypass ssl::server_name_regex \.fsdn\.com<br>acl http_bypass dstdomain .<a href="http://slashdot.org" target="_blank">slashdot.org</a><br>acl http_bypass dstdomain .<a href="http://fsdn.com" target="_blank">fsdn.com</a><br>acl https_bypass all-of CONNECT SniBypass<br>acl http_ok all-of http_bypass Safe_ports<br>ssl_bump peek step1<br>ssl_bump splice SniBypass step2<br>ssl_bump bump all<br>sslproxy_cert_sign_hash sha256<br>sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE<br>always_direct allow all<br>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB<br>sslcrtd_children 8 startup=1 idle=1<br>http_access allow http_ok<br>http_access allow CONNECT<br>no_cache allow all<br>cache deny all<br></div><div>shutdown_lifetime 3 seconds </div></div></div></div>