<div dir="ltr">I forgot to mention, I am using squid 3.5.19</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <span dir="ltr"><<a href="mailto:stan.prescott@gmail.com" target="_blank">stan.prescott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">When I enter .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a> in<div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><i>acl tls_s1_connect at_step SslBump1</i></div><div><i>acl tls_s2_client_hello at_step SslBump2</i></div><div><i>acl tls_s3_server_hello at_step SslBump3</i></div><div><i><br></i></div><div><i>acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n</i></div><div><i>acl tls_allowed_hsts ssl::server_name .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></i></div><div><i>acl tls_server_is_bank ssl::server_name .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></i></div><div><i>acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank</i></div><div><i><br></i></div><div><i>ssl_bump peek tls_s1_connect all</i></div><div><i>ssl_bump splice tls_s2_client_hello tls_to_splice</i></div><div><i>ssl_bump stare tls_s2_client_hello all</i></div><div><i>ssl_bump bump tls_s3_server_hello all</i></div></div></blockquote><br></div><div>it appears that the banking site is still getting bumped i.e.like in this access.log snippet</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><div><i>1467156887.817 257 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://54.149.224.177:443" target="_blank">54.149.224.177:443</a> - ORIGINAL_DST/<a href="http://54.149.224.177" target="_blank">54.149.224.177</a> -</i></div><div><i>1467156888.008 94 10.40.40.100 TCP_MISS/200 213 POST <a href="https://tiles.services.mozilla.com/v2/links/view" target="_blank">https://tiles.services.mozilla.com/v2/links/view</a> - ORIGINAL_DST/<a href="http://54.149.224.177" target="_blank">54.149.224.177</a> application/json</i></div><div><i>1467156893.774 75 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156893.847 117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156893.875 120 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443" target="_blank">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75" target="_blank">172.230.221.75</a> -</i></div><div><i>1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443" target="_blank">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75" target="_blank">172.230.221.75</a> -</i></div><div><i>1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443" target="_blank">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75" target="_blank">172.230.221.75</a> -</i></div><div><i>1467156893.875 112 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156894.109 306 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156894.109 308 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443" target="_blank">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185" target="_blank">172.230.102.185</a> -</i></div><div><i>1467156895.488 72 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://216.58.194.98:443" target="_blank">216.58.194.98:443</a> - ORIGINAL_DST/<a href="http://216.58.194.98" target="_blank">216.58.194.98</a> -</i></div><div><i>1467156895.513 98 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://216.58.194.70:443" target="_blank">216.58.194.70:443</a> - ORIGINAL_DST/<a href="http://216.58.194.70" target="_blank">216.58.194.70</a> -</i></div><div><i>1467156895.648 66 10.40.40.100 TCP_MISS/302 739 GET <a href="https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=" target="_blank">https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=</a> - ORIGINAL_DST/<a href="http://216.58.194.98" target="_blank">216.58.194.98</a> image/gif</i></div><div><i>1467156895.664 82 10.40.40.100 TCP_MISS/200 649 GET <a href="https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808" target="_blank">https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808</a>? - ORIGINAL_DST/<a href="http://216.58.194.70" target="_blank">216.58.194.70</a> image/gif</i></div><div><i>1467156895.920 250 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://24.155.92.60:443" target="_blank">24.155.92.60:443</a> - ORIGINAL_DST/<a href="http://24.155.92.60" target="_blank">24.155.92.60</a> -</i></div><div><i>1467156896.061 79 10.40.40.100 TCP_MISS/200 503 GET <a href="https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630" target="_blank">https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630</a> - ORIGINAL_DST/<a href="http://24.155.92.60" target="_blank">24.155.92.60</a> image/gif</i></div><div><i>1467156899.837 5727 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443" target="_blank">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443" target="_blank">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156" target="_blank">159.45.66.156</a> -</i></div><div><i>1467156899.837 5679 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443" target="_blank">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443" target="_blank">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156" target="_blank">159.45.66.156</a> -</i></div><div><i>1467156899.838 5680 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443" target="_blank">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.838 5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443" target="_blank">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156" target="_blank">159.45.66.156</a> -</i></div><div><i>1467156900.836 5421 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.170.145:443" target="_blank">159.45.170.145:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.836 5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT <a href="http://www.wellsfargo.com:443" target="_blank">www.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.170.145" target="_blank">159.45.170.145</a> -</i></div><div><i>1467156900.837 5423 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.2.142:443" target="_blank">159.45.2.142:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.837 5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT <a href="http://static.wellsfargo.com:443" target="_blank">static.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.2.142" target="_blank">159.45.2.142</a> -</i></div><div><i>1467156900.838 5423 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.170.145:443" target="_blank">159.45.170.145:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.838 5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT <a href="http://www.wellsfargo.com:443" target="_blank">www.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.170.145" target="_blank">159.45.170.145</a> -</i></div></div></div><div><br></div></blockquote></div><div>If I disable sslbumping then the bank site does not get bumped, of course.</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>1467157349.321 230 10.40.40.100 TCP_MISS/301 243 GET <a href="http://wellsfargo.com/" target="_blank">http://wellsfargo.com/</a> - ORIGINAL_DST/<a href="http://159.45.66.143" target="_blank">159.45.66.143</a> -</div></div><div><br></div></blockquote>Here is my squid.conf with bumping enabled.</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>visible_hostname smoothwall</div><div><br></div><div># Uncomment the following to send debug info to /var/log/squid/cache.log</div><div>#debug_options ALL,1 33,2 28,9</div><div><br></div><div># ACCESS CONTROLS</div><div># ----------------------------------------------------------------</div><div>acl localhostgreen src 10.40.40.1</div><div>acl localnetgreen src <a href="http://10.40.40.0/24" target="_blank">10.40.40.0/24</a></div><div>acl SWE_subnets src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"</div><div><br></div><div>acl SSL_ports port 445 443 441 563</div><div>acl Safe_ports port 80 <span style="white-space:pre-wrap"> </span> <span style="white-space:pre-wrap"> </span># http</div><div>acl Safe_ports port 81 <span style="white-space:pre-wrap"> </span> <span style="white-space:pre-wrap"> </span># smoothwall http</div><div>acl Safe_ports port 21 <span style="white-space:pre-wrap"> </span> <span style="white-space:pre-wrap"> </span># ftp </div><div>acl Safe_ports port 445 443 441 563<span style="white-space:pre-wrap"> </span># https, snews</div><div>acl Safe_ports port 70 <span style="white-space:pre-wrap"> </span># gopher</div><div>acl Safe_ports port 210 <span style="white-space:pre-wrap"> </span> <span style="white-space:pre-wrap"> </span># wais </div><div>acl Safe_ports port 1025-65535<span style="white-space:pre-wrap"> </span># unregistered ports</div><div>acl Safe_ports port 280 <span style="white-space:pre-wrap"> </span># http-mgmt</div><div>acl Safe_ports port 488 <span style="white-space:pre-wrap"> </span># gss-http </div><div>acl Safe_ports port 591 <span style="white-space:pre-wrap"> </span># filemaker</div><div>acl Safe_ports port 777 <span style="white-space:pre-wrap"> </span># multiling http</div><div><br></div><div>acl CONNECT method CONNECT</div><div><br></div><div># TAG: http_access</div><div># ----------------------------------------------------------------</div><div><br></div><div>http_access allow SWE_subnets</div><div><br></div><div><br></div><div>http_access allow localhost</div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports</div><div><br></div><div>http_access allow localnetgreen</div><div>http_access allow CONNECT localnetgreen</div><div><br></div><div>http_access allow localhostgreen</div><div>http_access allow CONNECT localhostgreen</div><div><br></div><div># http_port and https_port</div><div>#----------------------------------------------------------------------------</div><div><br></div><div># For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.</div><div>#----------------------------------------------------------------------------</div><div>http_port 3127</div><div><br></div><div>http_port <a href="http://10.40.40.1:800" target="_blank">10.40.40.1:800</a> intercept</div><div>https_port <a href="http://10.40.40.1:808" target="_blank">10.40.40.1:808</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem</div><div><br></div><div><br></div><div>http_port <a href="http://127.0.0.1:800" target="_blank">127.0.0.1:800</a> intercept</div><div><br></div><div>sslproxy_session_cache_size 4 MB</div><div><br></div><div>ssl_bump none localhostgreen</div><div><br></div><div>sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression</div><div>sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL</div><div><br></div><div>acl tls_s1_connect at_step SslBump1</div><div>acl tls_s2_client_hello at_step SslBump2</div><div>acl tls_s3_server_hello at_step SslBump3</div><div><br></div><div>acl tls_allowed_hsts ssl::server_name .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a></div><div>acl tls_server_is_bank ssl::server_name .<a href="http://wellsfargo.com" target="_blank">wellsfargo.com</a></div><div>acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank</div><div><br></div><div>ssl_bump peek tls_s1_connect all</div><div>ssl_bump splice tls_s2_client_hello tls_to_splice</div><div>ssl_bump stare tls_s2_client_hello all</div><div>ssl_bump bump tls_s3_server_hello all</div><div><br></div><div>sslproxy_cert_error deny all</div><div>sslproxy_flags DONT_VERIFY_PEER</div><div>sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB</div><div>sslcrtd_children 5</div><div><br></div><div>http_access deny all</div><div><br></div><div>cache_replacement_policy heap GDSF</div><div>memory_replacement_policy heap GDSF</div><div><br></div><div># CACHE OPTIONS</div><div># ----------------------------------------------------------------------------</div><div>cache_effective_user squid</div><div>cache_effective_group squid</div><div><br></div><div>cache_swap_high 100</div><div>cache_swap_low 80</div><div><br></div><div>cache_access_log stdio:/var/log/squid/access.log</div><div>cache_log /var/log/squid/cache.log</div><div>cache_mem 64 MB</div><div><br></div><div>cache_dir aufs /var/spool/squid/cache 1024 16 256</div><div><br></div><div>maximum_object_size 33 MB</div><div><br></div><div>minimum_object_size 0 KB</div><div><br></div><div><br></div><div>request_body_max_size 0 KB</div><div><br></div><div># OTHER OPTIONS</div><div># ----------------------------------------------------------------------------</div><div>#via off</div><div>forwarded_for off</div><div><br></div><div>pid_filename /var/run/squid.pid</div><div><br></div><div>shutdown_lifetime 10 seconds</div><div>#icp_port 3130</div><div><br></div><div>half_closed_clients off</div><div><br></div><div>umask 022</div><div><br></div><div>logfile_rotate 0</div><div><br></div><div>strip_query_terms off</div><div><br></div></div></blockquote></div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div></blockquote></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div></blockquote></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>On 29/06/2016 2:02 a.m., Stanford Prescott wrote:<br>
> I have the proper peek and splice and bump configuration of acls setup in<br>
> my squid.conf file for no-bump of some web sites. I need help how to enter<br>
> the banking hosts and or server names in a way that the peek and splice<br>
> configuration will determine it is a banking site that I don't want bumped.<br>
><br>
> For example, if a user enters <a href="http://www.wellsfargo.com" rel="noreferrer" target="_blank">www.wellsfargo.com</a> for online banking my<br>
> current config still bumps <a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a>. What would I need to enter for<br>
> <a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a> so that banking server will not be bumped?<br>
><br>
<br>
</div></div>Depends on what you mean by "enter".<br>
<br>
Are you asking for the ACL value?<br>
.<a href="http://wellfargo.com" rel="noreferrer" target="_blank">wellfargo.com</a><br>
<br>
Are you asking for the ACL definition?<br>
acl banks ssl::server_name .<a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a><br>
<br>
Or are you asking for a whole SSL-Bump configuration example?<br>
<<a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a>> has a few.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>