[squid-dev] Moving from Bump-Server-First to Bump/Peek/Splice

Steve Hill steve at opendium.com
Fri Sep 11 17:38:01 UTC 2015 

I'm currently using Bump-Server-First, but I'm fiddling with 
Bump/Peek/Splice and have uncovered some compatibility problems with the 
way I'm currently doing things, so I'm hoping for some advice:


To enforce Google's Safe Search, Google recommends setting up a CNAME in 
the local DNS server to redirect requests for www.google.com to 
forcesafesearch.google.com.  A DNS change like that would apply to the 
whole network and I want to only apply it to certain users, so I'm doing 
this a slightly different way: The "CONNECT www.google.com" request gets 
sent to an ICAP REQMOD method, which rewrites it to "CONNECT 
forcesafesearch.google.com", causing Squid to connect to the appropriate 
IP address.  The rest of the request behaves as though the connection 
was to www.google.com - i.e. the HTTP requests within the bumped 
connection appear as https://www.google.com/... etc.

With Bump-Server-First, this works ok - the CN and SANs are copied from 
Google's original certificate into the forged cert, so as far as the 
browser is concerned the certificate is valid for www.google.com. 
However, with the new Bump functionality, the CN of the forged 
certificate appears to come from the (rewritten) CONNECT request, so the 
browser sees a CN of forcesafesearch.google.com.

Is there a better way of doing what I'm doing?

What is the reasoning behind the change to using the name from the 
CONNECT string, rather than copying it from the server's certificate, or 
have I misconfigured something?  Notably, some applications CONNECT to 
the IP address rather than the server's host name, but would still 
expect the certificate's CN to be the server's hostname.


A related second question is that obviously when transparently proxying 
traffic, the host name isn't available in the CONNECT request, so the 
above rewrite method doesn't work anyway.  I'm using an external ACL at 
Bump Step 2 to look at the SNI that's obtained from the client handshake 
and decide whether to bump - is there any way for the external ACL to 
change the IP address that Squid will connect to, to replicate the 
rewrite above?


Also, I've noticed that the "%un" external ACL format code is never 
being filled with the user name when calling an external ACL during bump 
step 2, even though the request has been authenticated.


Any advice gratefully received, looks like I'm spending next week 
working through these issues. :)

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 283 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150911/408537dc/attachment.vcf>

More information about the squid-dev mailing list