<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Rounded MT Bold";
panose-1:2 15 7 4 3 5 4 3 2 4;}
@font-face
{font-family:Times;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey Ahmad,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Since these apps are having issues it means that squid or them are broken or … both.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The basic issue is that from one side you want to Intercept while you don't want to break the passing traffic.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Squid task is to work with every piece of the OS and the traffic including parsing and "understanding" the passing traffic.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The issue is that currently(3.5) squid doesn't have any way to not break HTTPS once it was intercepted and was unwrapped.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The more deep issue is that many applications are using HTTP+HTTPS in a way that needs couple twists and causes security complications.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It would be kind of "simple" to resolve the issue by bypassing squid SSL unwrapping.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you don't care about security and you care more about caching what is possible and not caching "everything" this is the right solution.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It is possible to use a technique which will collect information about the destination HOST to be a valid HTTPS service before splicing but..<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It has it's own overheads but if you care less about caching and more about the service then it's the right solution.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Just to illustrate, an ACL and filtering proxy will be pretty "simple" compared to a one with caching overheads since all the resources would be dedicated to the actual decision part of the service rather then the disks IO and cached objects DB lookups.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>From what I remember squid 4 is supposed to have a basic option that will differentiate between STANDARD https to other protocols.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I have not tested it yet but I am in still processing 4 ideas in general.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Eliezer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'>----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'><a href="http://ngtech.co.il/lmgtfy/"><span style='color:#0563C1'>Eliezer Croitoru</span></a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image001.png@01D1CBA4.01360E90"><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <b>On Behalf Of </b>--Ahmad--<br><b>Sent:</b> Tuesday, June 21, 2016 12:43 AM<br><b>To:</b> Squid Users<br><b>Subject:</b> [squid-users] Squid Peek/Splice some issues<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi ,<o:p></o:p></p><div><p class=MsoNormal>i have squid that is working on 3.5 .<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>traffic of t 80 and 443 traffic to Squid via IPTables.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept.<o:p></o:p></p><div><p class=MsoNormal>current versions we have :<o:p></o:p></p></div><div><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>Squid 3.5.19<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>C-ICAP 0.4.2<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>SquidclamAV 6.15<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='font-family:Symbol'>·</span><span style='font-size:7.0pt'> </span>ClamAV 0.99.2<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'>=====================<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt'><span style='color:#001E57'> here is squid.conf :</span><o:p></o:p></p><div><div><p class=MsoNormal><span style='color:#001E57'># Example rule allowing access from your local networks.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># Adapt to list your (internal) IP networks from where browsing</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># should be allowed</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>acl localnet src 10.0.0.0/8<span class=apple-tab-span> </span># RFC1918 possible internal network</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># Example rule allowing access from your local networks.</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># Adapt localnet in the ACL section to list your (internal) IP networks</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># from where browsing should be allowed</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_access allow localnet</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_access allow localhost</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_access allow localhost manager</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_access deny manager</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># Squid normally listens to port 3128</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_port 3127</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>http_port 3128 intercept</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>coredump_dir /var/cache/squid</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>visible_hostname test1</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_log /opt/var/log/squid/cache_log</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_access_log /opt/var/log/squid/access_log</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_effective_user squid</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_effective_group squid</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>icap_enable on</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>icap_send_client_ip on</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>icap_service service_req reqmod_precache bypass=1 <a href="icap://127.0.0.1:1344/squidclamav">icap://127.0.0.1:1344/squidclamav</a></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>adaptation_access service_req allow all</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>icap_service service_resp respmod_precache bypass=1 <a href="icap://127.0.0.1:1344/squidclamav">icap://127.0.0.1:1344/squidclamav</a></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>adaptation_access service_resp allow all</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>acl test-header dstdomain<span class=apple-tab-span> </span><a href="http://test.com">test.com</a></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>request_header_add X-TEST-GUID TEST test-header</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>#Custom Error Pages</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>error_directory /opt/www/squid</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># Squid listen Port</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'># SSL Bump Config</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>always_direct allow all</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>ssl_bump server-first all </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>sslcrtd_children 32 startup=5 idle=1</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_dir aufs /var/cache/squid 40000 16 256</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>store_dir_select_algorithm round-robin</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>minimum_object_size 0 KB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>maximum_object_size 96 MB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>memory_pools off</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>quick_abort_min 0 KB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>quick_abort_max 0 KB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>log_icp_queries off</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>client_db off</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>cache_mem 1500 MB</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>buffered_logs on</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>half_closed_clients off</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#001E57'>dns_nameservers 10.192.0.1</span><o:p></o:p></p></div></div><div><p class=MsoNormal>=======================================================<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times","serif"'>i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .</span></b><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times","serif"'>thank you </span></b><o:p></o:p></p></div></div></div></div></body></html>