<div dir="ltr">When I enter .<a href="http://wellsfargo.com">wellsfargo.com</a> in<div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><i>acl tls_s1_connect at_step SslBump1</i></div><div><i>acl tls_s2_client_hello at_step SslBump2</i></div><div><i>acl tls_s3_server_hello at_step SslBump3</i></div><div><i><br></i></div><div><i>acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n</i></div><div><i>acl tls_allowed_hsts ssl::server_name .<a href="http://akamaihd.net">akamaihd.net</a></i></div><div><i>acl tls_server_is_bank ssl::server_name .<a href="http://wellsfargo.com">wellsfargo.com</a></i></div><div><i>acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank</i></div><div><i><br></i></div><div><i>ssl_bump peek tls_s1_connect all</i></div><div><i>ssl_bump splice tls_s2_client_hello tls_to_splice</i></div><div><i>ssl_bump stare tls_s2_client_hello all</i></div><div><i>ssl_bump bump tls_s3_server_hello all</i></div></div></blockquote><br></div><div>it appears that the banking site is still getting bumped i.e.like in this access.log snippet</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><div><i>1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://54.149.224.177:443">54.149.224.177:443</a> - ORIGINAL_DST/<a href="http://54.149.224.177">54.149.224.177</a> -</i></div><div><i>1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST <a href="https://tiles.services.mozilla.com/v2/links/view">https://tiles.services.mozilla.com/v2/links/view</a> - ORIGINAL_DST/<a href="http://54.149.224.177">54.149.224.177</a> application/json</i></div><div><i>1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75">172.230.221.75</a> -</i></div><div><i>1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75">172.230.221.75</a> -</i></div><div><i>1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.221.75:443">172.230.221.75:443</a> - ORIGINAL_DST/<a href="http://172.230.221.75">172.230.221.75</a> -</i></div><div><i>1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://172.230.102.185:443">172.230.102.185:443</a> - ORIGINAL_DST/<a href="http://172.230.102.185">172.230.102.185</a> -</i></div><div><i>1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://216.58.194.98:443">216.58.194.98:443</a> - ORIGINAL_DST/<a href="http://216.58.194.98">216.58.194.98</a> -</i></div><div><i>1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://216.58.194.70:443">216.58.194.70:443</a> - ORIGINAL_DST/<a href="http://216.58.194.70">216.58.194.70</a> -</i></div><div><i>1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET <a href="https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=">https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=</a> - ORIGINAL_DST/<a href="http://216.58.194.98">216.58.194.98</a> image/gif</i></div><div><i>1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET <a href="https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808">https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808</a>? - ORIGINAL_DST/<a href="http://216.58.194.70">216.58.194.70</a> image/gif</i></div><div><i>1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://24.155.92.60:443">24.155.92.60:443</a> - ORIGINAL_DST/<a href="http://24.155.92.60">24.155.92.60</a> -</i></div><div><i>1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET <a href="https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630">https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630</a> - ORIGINAL_DST/<a href="http://24.155.92.60">24.155.92.60</a> image/gif</i></div><div><i>1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156">159.45.66.156</a> -</i></div><div><i>1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156">159.45.66.156</a> -</i></div><div><i>1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.66.156:443">159.45.66.156:443</a> - HIER_NONE/- -</i></div><div><i>1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT <a href="http://connect.secure.wellsfargo.com:443">connect.secure.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.66.156">159.45.66.156</a> -</i></div><div><i>1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.170.145:443">159.45.170.145:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT <a href="http://www.wellsfargo.com:443">www.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.170.145">159.45.170.145</a> -</i></div><div><i>1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.2.142:443">159.45.2.142:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT <a href="http://static.wellsfargo.com:443">static.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.2.142">159.45.2.142</a> -</i></div><div><i>1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT <a href="http://159.45.170.145:443">159.45.170.145:443</a> - HIER_NONE/- -</i></div><div><i>1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT <a href="http://www.wellsfargo.com:443">www.wellsfargo.com:443</a> - ORIGINAL_DST/<a href="http://159.45.170.145">159.45.170.145</a> -</i></div></div></div><div><br></div></blockquote></div><div>If I disable sslbumping then the bank site does not get bumped, of course.</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET <a href="http://wellsfargo.com/">http://wellsfargo.com/</a> - ORIGINAL_DST/<a href="http://159.45.66.143">159.45.66.143</a> -</div></div><div><br></div></blockquote>Here is my squid.conf with bumping enabled.</div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>visible_hostname smoothwall</div><div><br></div><div># Uncomment the following to send debug info to /var/log/squid/cache.log</div><div>#debug_options ALL,1 33,2 28,9</div><div><br></div><div># ACCESS CONTROLS</div><div># ----------------------------------------------------------------</div><div>acl localhostgreen src 10.40.40.1</div><div>acl localnetgreen src <a href="http://10.40.40.0/24">10.40.40.0/24</a></div><div>acl SWE_subnets          src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"</div><div><br></div><div>acl SSL_ports port 445 443 441 563</div><div>acl Safe_ports port 80  <span class="" style="white-space:pre">     </span>  <span class="" style="white-space:pre">       </span># http</div><div>acl Safe_ports port 81  <span class="" style="white-space:pre">    </span>  <span class="" style="white-space:pre">       </span># smoothwall http</div><div>acl Safe_ports port 21  <span class="" style="white-space:pre"> </span>  <span class="" style="white-space:pre">       </span># ftp </div><div>acl Safe_ports port 445 443 441 563<span class="" style="white-space:pre"> </span># https, snews</div><div>acl Safe_ports port 70     <span class="" style="white-space:pre">                </span># gopher</div><div>acl Safe_ports port 210    <span class="" style="white-space:pre">      </span>   <span class="" style="white-space:pre">      </span># wais  </div><div>acl Safe_ports port 1025-65535<span class="" style="white-space:pre">            </span># unregistered ports</div><div>acl Safe_ports port 280       <span class="" style="white-space:pre">              </span># http-mgmt</div><div>acl Safe_ports port 488       <span class="" style="white-space:pre">               </span># gss-http </div><div>acl Safe_ports port 591       <span class="" style="white-space:pre">              </span># filemaker</div><div>acl Safe_ports port 777       <span class="" style="white-space:pre">               </span># multiling http</div><div><br></div><div>acl CONNECT method CONNECT</div><div><br></div><div># TAG: http_access</div><div># ----------------------------------------------------------------</div><div><br></div><div>http_access allow SWE_subnets</div><div><br></div><div><br></div><div>http_access allow localhost</div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports</div><div><br></div><div>http_access allow localnetgreen</div><div>http_access allow CONNECT localnetgreen</div><div><br></div><div>http_access allow localhostgreen</div><div>http_access allow CONNECT localhostgreen</div><div><br></div><div># http_port and https_port</div><div>#----------------------------------------------------------------------------</div><div><br></div><div># For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.</div><div>#----------------------------------------------------------------------------</div><div>http_port 3127</div><div><br></div><div>http_port <a href="http://10.40.40.1:800">10.40.40.1:800</a> intercept</div><div>https_port <a href="http://10.40.40.1:808">10.40.40.1:808</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem</div><div><br></div><div><br></div><div>http_port <a href="http://127.0.0.1:800">127.0.0.1:800</a> intercept</div><div><br></div><div>sslproxy_session_cache_size 4 MB</div><div><br></div><div>ssl_bump none localhostgreen</div><div><br></div><div>sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression</div><div>sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL</div><div><br></div><div>acl tls_s1_connect at_step SslBump1</div><div>acl tls_s2_client_hello at_step SslBump2</div><div>acl tls_s3_server_hello at_step SslBump3</div><div><br></div><div>acl tls_allowed_hsts ssl::server_name .<a href="http://akamaihd.net">akamaihd.net</a></div><div>acl tls_server_is_bank ssl::server_name .<a href="http://wellsfargo.com">wellsfargo.com</a></div><div>acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank</div><div><br></div><div>ssl_bump peek tls_s1_connect all</div><div>ssl_bump splice tls_s2_client_hello tls_to_splice</div><div>ssl_bump stare tls_s2_client_hello all</div><div>ssl_bump bump tls_s3_server_hello all</div><div><br></div><div>sslproxy_cert_error deny all</div><div>sslproxy_flags DONT_VERIFY_PEER</div><div>sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB</div><div>sslcrtd_children 5</div><div><br></div><div>http_access deny all</div><div><br></div><div>cache_replacement_policy heap GDSF</div><div>memory_replacement_policy heap GDSF</div><div><br></div><div># CACHE OPTIONS</div><div># ----------------------------------------------------------------------------</div><div>cache_effective_user squid</div><div>cache_effective_group squid</div><div><br></div><div>cache_swap_high 100</div><div>cache_swap_low 80</div><div><br></div><div>cache_access_log stdio:/var/log/squid/access.log</div><div>cache_log /var/log/squid/cache.log</div><div>cache_mem 64 MB</div><div><br></div><div>cache_dir aufs /var/spool/squid/cache 1024 16 256</div><div><br></div><div>maximum_object_size 33 MB</div><div><br></div><div>minimum_object_size 0 KB</div><div><br></div><div><br></div><div>request_body_max_size 0 KB</div><div><br></div><div># OTHER OPTIONS</div><div># ----------------------------------------------------------------------------</div><div>#via off</div><div>forwarded_for off</div><div><br></div><div>pid_filename /var/run/squid.pid</div><div><br></div><div>shutdown_lifetime 10 seconds</div><div>#icp_port 3130</div><div><br></div><div>half_closed_clients off</div><div><br></div><div>umask 022</div><div><br></div><div>logfile_rotate 0</div><div><br></div><div>strip_query_terms off</div><div><br></div></div></blockquote></div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div></blockquote></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div></blockquote></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 29/06/2016 2:02 a.m., Stanford Prescott wrote:<br>
> I have the proper peek and splice and bump configuration of acls setup in<br>
> my squid.conf file for no-bump of some web sites. I need help how to enter<br>
> the banking hosts and or server names in a way that the peek and splice<br>
> configuration will determine it is a banking site that I don't want bumped.<br>
><br>
> For example, if a user enters <a href="http://www.wellsfargo.com" rel="noreferrer" target="_blank">www.wellsfargo.com</a> for online banking my<br>
> current config still bumps <a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a>. What would I need to enter for<br>
> <a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a> so that banking server will not be bumped?<br>
><br>
<br>
</div></div>Depends on what you mean by "enter".<br>
<br>
Are you asking for the ACL value?<br>
  .<a href="http://wellfargo.com" rel="noreferrer" target="_blank">wellfargo.com</a><br>
<br>
Are you asking for the ACL definition?<br>
 acl banks ssl::server_name .<a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a><br>
<br>
Or are you asking for a whole SSL-Bump configuration example?<br>
 <<a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a>> has a few.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>