<div dir="ltr">Hi<div><br></div><div>Below is my squid configuration </div><div><div><br class="">Squid : 3.5.13</div><div>OS ubuntu 14.04</div></div><div><br></div><div><br></div><div><div>http_port 3128</div><div>http_port 3127 intercept</div><div>https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH</div><div><br></div><div>always_direct allow all</div><div>sslproxy_cert_error allow all</div><div>sslproxy_flags DONT_VERIFY_PEER</div><div>acl blocked ssl::server_name "/etc/squid/blocked_https.txt"</div><div>acl step1 at_step SslBump1</div><div>ssl_bump peek step1</div><div>ssl_bump terminate blocked</div><div>ssl_bump splice all</div><div>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB</div><div>sslcrtd_children 16 startup=1 idle=1</div><div>sslproxy_capath /etc/ssl/certs</div><div>sslproxy_cert_error allow all</div><div>ssl_unclean_shutdown on</div></div><div><br></div><div>I want to block <a href="http://facebook.com">facebook.com</a> so I have added url in .txt file.</div><div><br></div><div>Its not blocking anything.</div><div><br></div><div>Please let me know what I have to change in this configuration</div><div><br></div><div>I getting below logs in squid</div><div><br></div><div><br></div><div><div>1463478160.585 551 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478160.585 550 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478161.147 562 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478161.147 561 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478163.982 553 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478163.982 552 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478163.994 565 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478163.994 564 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://106.10.137.175:443">106.10.137.175:443</a> - HIER_NONE/- -</div><div>1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT <a href="http://geo.query.yahoo.com:443">geo.query.yahoo.com:443</a> - ORIGINAL_DST/<a href="http://106.10.137.175">106.10.137.175</a> -</div><div><br></div><div><br></div><div>1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET <a href="http://www.gstatic.com/generate_204">http://www.gstatic.com/generate_204</a> - ORIGINAL_DST/<a href="http://216.58.199.163">216.58.199.163</a> -</div><div>1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://74.125.200.239:443">74.125.200.239:443</a> - HIER_NONE/- -</div><div>1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT <a href="http://translate.googleapis.com:443">translate.googleapis.com:443</a> - ORIGINAL_DST/<a href="http://74.125.200.239">74.125.200.239</a> -</div><div>1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://216.58.199.142:443">216.58.199.142:443</a> - HIER_NONE/- -</div><div>1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT <a href="http://clients4.google.com:443">clients4.google.com:443</a> - ORIGINAL_DST/<a href="http://216.58.199.142">216.58.199.142</a> -</div><div>1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://31.13.79.246:443">31.13.79.246:443</a> - HIER_NONE/- -</div><div>1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT <a href="http://graph.facebook.com:443">graph.facebook.com:443</a> - ORIGINAL_DST/<a href="http://31.13.79.246">31.13.79.246</a> -</div><div>1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET <a href="http://www.gstatic.com/generate_204">http://www.gstatic.com/generate_204</a> - ORIGINAL_DST/<a href="http://216.58.199.131">216.58.199.131</a> -</div><div>1463478231.727 555 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478231.727 555 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478232.311 572 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://107.170.47.181:443">107.170.47.181:443</a> - HIER_NONE/- -</div><div>1463478232.311 571 192.168.0.66 TAG_NONE/503 0 CONNECT <a href="http://freevideodownloader.co:443">freevideodownloader.co:443</a> - HIER_NONE/- -</div><div>1463478246.369 13073 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://74.125.200.189:443">74.125.200.189:443</a> - HIER_NONE/- -</div><div>1463478246.369 13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT <a href="http://0.client-channel.google.com:443">0.client-channel.google.com:443</a> - ORIGINAL_DST/<a href="http://74.125.200.189">74.125.200.189</a> -</div><div>1463478246.369 13806 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://216.58.199.142:443">216.58.199.142:443</a> - HIER_NONE/- -</div><div>1463478246.369 13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT <a href="http://clients5.google.com:443">clients5.google.com:443</a> - ORIGINAL_DST/<a href="http://216.58.199.142">216.58.199.142</a> -</div><div>1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT <a href="http://106.10.199.11:443">106.10.199.11:443</a> - HIER_NONE/- -</div><div>1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT <a href="http://geo.yahoo.com:443">geo.yahoo.com:443</a> - ORIGINAL_DST/<a href="http://106.10.199.11">106.10.199.11</a> -</div><div>1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET <a href="http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data">http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data</a> - ORIGINAL_DST/<a href="http://216.58.220.3">216.58.220.3</a> text/html</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 13/05/2016 5:58 p.m., Reet Vyas wrote:<br>
> Hi Amos/Yuri,<br>
><br>
> Currently my squid is configured with ssl bump, now I want to use peek and<br>
> splice. I read in some forum that we don't need to install certificate on<br>
> client's machine.<br>
><br>
<br>
</span>Splice does not require it. But what you want to do with Squid may<br>
prevent splice being used. So "it depends" ...<br>
<span class=""><br>
<br>
> As I have already asked before in mailing list to install SSL certificate<br>
> on Android devices, which is not working.<br>
><br>
> So my question is If I want to use peek and splice for example I want https<br>
> filtering for<br>
<br>
</span> ... on how you define "filter".<br>
<br>
> proxy websites<br>
<br>
Not sure what you mean by that term.<br>
<span class=""><br>
> and I dont want ssl for bank websites and<br>
> facebook youtube and gmail. how will it work? Do i need to install SSL<br>
> certifcate on client or not, I am bit confused with peek and splice thing.<br>
<br>
</span>When you intercept port 443 normally only the raw-IP is available from<br>
TCP. Peek allows Squid to get the server name the client was trying to<br>
connect to out of the TLS. So that Squid can handle the intercepted<br>
connection as if it had received a CONNECT message (which usually have<br>
server/domain names).<br>
<br>
Splicing can be thought of as handling a intercepted port 443 connection<br>
as if it were a CONNECT message, with no decryption. It is treated as a<br>
single "thing", with some limited control possibilities.<br>
<br>
<br>
So...<br>
<br>
In order to bump (decrypt) some traffic and splice (not decrypt) other<br>
traffic you need to have a way to decide which type is being dealt with.<br>
That is the peek or stare actions - to get data out of the TLS handshake<br>
for you to use in ACL decisions.<br>
<br>
You might now want to re-read the SslPeekAndSplice documentation again<br>
to see if you understand it better. I skipped a lot of important details<br>
to make the description clear.<br>
<span class=""><br>
<br>
><br>
> Please let me know is that possible to configure squid 3.5.19 in such a way<br>
> so that it will bump only proxy websites not FB youtube etc.<br>
><br>
<br>
</span>Ah. So what are these "proxy websites" you speak of ?<br>
<br>
One thing you need to be clear about is that once the TCP packets enter<br>
Squid they *have* to be "proxied". There is no way to undo TCP accept()<br>
and read() operations. But there are many ways of handling them that<br>
Squid can do.<br>
<br>
PS. you could post your existing config so we can suggest alterations to<br>
it that will lead to it doing your new policy. That can be another way<br>
to learn how the relevant-to-you part of the features work without<br>
diving into the full complexity of what *might* be doable.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>