[squid-users] Squid 3 SSL bump: Google drive application could not connect
Yuri Voinov
yvoinov at gmail.com
Tue Dec 30 20:21:59 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sure.
Squid 3 WCCP key config part:
# WCCPv2 parameters
wccp2_router 192.168.200.2
wccp2_forwarding_method l2
wccp2_return_method l2
wccp2_service standard 0
wccp2_rebuild_wait off
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp
flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443
Cisco config key parts:
!
ip wccp web-cache redirect-list 120
ip wccp 70 redirect-list 121
!
!
! This interface look to Squid proxy (internal networks on another
interface)
interface GigabitEthernet0/1
ip address 192.168.200.2 255.255.255.0
ip wccp web-cache redirect out
ip wccp 70 redirect out
ip nbar protocol-discovery
ip virtual-reassembly in
duplex auto
speed auto
!
access-list 120 remark ACL for HTTP WCCP
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny ip host 192.168.200.3 any
access-list 120 remark LAN clients proxy port 80
access-list 120 permit tcp 192.168.0.0 0.0.255.255 any eq www
access-list 120 remark all others bypass WCCP
access-list 120 deny ip any any
!
access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny ip host 192.168.200.3 any
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny ip any any
!
That's all. :)
31.12.2014 2:10, Rafael Akchurin пишет:
>
> Glad that it worked.
>
> May be useful to dump here your squid.conf to better understand how to
configure squid to transparently work with wccp traffic coming from your
Cisco router?
>
> Raf
>
>
>
> *From:*Yuri Voinov [mailto:yvoinov at gmail.com]
> *Sent:* Tuesday, December 30, 2014 8:48 PM
> *To:* Rafael Akchurin; squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> Already found this lonely right post ;) I have Google-Fu too :) And it
longer than you :)
>
> Anyway,
>
> all of these issues solved.
>
> I have snoop (not Windoze wireshark - all great things makes in
console, ya!) and take a look on single client traffic during bumping.
>
> As I haven't iptables (no penguins, please!), but I have Cisco 2911, I
pass some Windows Update, Symantec Update (which is not work too)
bypassing Squid.
>
> Cisco is greatest. All others are probably suxx :)
>
> The complete solution looks like:
>
> access-list 121 remark ACL for HTTPS WCCP
> access-list 121 remark Squid proxies bypass
> access-list 121 deny ip host 192.168.200.3 any
> access-list 121 remark WU bypass
> access-list 121 deny tcp any 191.232.0.0 0.7.255.255
> access-list 121 deny tcp any 65.52.0.0 0.3.255.255
> access-list 121 remark Symantec bypass
> access-list 121 deny tcp any host 195.215.221.99
> access-list 121 deny tcp any host 195.215.221.104
> access-list 121 deny tcp any host 213.248.114.172
> access-list 121 deny tcp any host 213.248.114.173
> access-list 121 deny tcp any host 213.248.114.174
> access-list 121 deny tcp any host 213.248.114.175
> access-list 121 deny tcp any host 77.67.22.168
> access-list 121 deny tcp any host 77.67.22.171
> access-list 121 deny tcp any host 77.67.22.173
> access-list 121 deny tcp any host 213.248.114.171
> access-list 121 remark LAN clients proxy port 443
> access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
> access-list 121 remark all others bypass WCCP
> access-list 121 deny ip any any
>
> So, all others issue solves similar.
>
> Want to do something good - do it yourself!
>
> That's the way. :)
>
> 30.12.2014 23:39, Rafael Akchurin пишет:
>
>
> > Hello Yuri,
>
>
>
>
>
>
>
> > Luckily the same topic was just discussed on our forum –
>
> please see if this can help
>
>
https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ
>
>
>
>
>
>
>
> > It describes the iptables settings for successful SSL bump
>
> exclusions for Dropbox clients / Google Drive / iTunes (bypassing
>
> SSL Bump because of SSL Pinning).
>
>
>
>
>
>
>
> > Best regards,
>
>
>
> > Raf
>
>
>
>
>
>
>
> > *From:*squid-users
>
> [mailto:squid-users-bounces at lists.squid-cache.org] *On Behalf Of
>
> *Rafael Akchurin
>
> > *Sent:* Tuesday, December 30, 2014 4:23 PM
>
> > *To:* Yuri Voinov; squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
> > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
>
> application could not connect
>
>
>
>
>
>
>
> > Only exclusion from SSL Bump as far as I know.
>
>
>
>
>
>
>
> > raf
>
>
>
> > -------------------------
>
>
>
> > *From:*Yuri Voinov <yvoinov at gmail.com <mailto:yvoinov at gmail.com>
>
> <mailto:yvoinov at gmail.com> <mailto:yvoinov at gmail.com>>
>
> > *Sent:* Tuesday, December 30, 2014 3:19 PM
>
> > *To:* Rafael Akchurin; squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
> <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
> > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
>
> application could not connect
>
>
>
>
>
>
>
>
>
> > May be.
>
>
>
> > Does workaround exists?
>
>
>
> > 30.12.2014 20:09, Rafael Akchurin ?????:
>
> > > SSL Pinning? (I know Dropbox does this)
>
>
>
>
>
>
>
> > > my two cents only :)
>
>
>
>
>
>
>
> > > Raf
>
>
>
>
>
>
>
> > > ________________________________________
>
>
>
> > > From: squid-users
>
> <mailto:squid-users-bounces at lists.squid-cache.org>
<mailto:squid-users-bounces at lists.squid-cache.org>
>
>
>
> > <squid-users-bounces at lists.squid-cache.org>
<mailto:squid-users-bounces at lists.squid-cache.org>
>
> <mailto:squid-users-bounces at lists.squid-cache.org>
<mailto:squid-users-bounces at lists.squid-cache.org>on behalf
>
> of Yuri Voinov <mailto:yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>
>
>
> > <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
<mailto:yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>
>
>
> > > Sent: Tuesday, December 30, 2014 2:12 PM
>
>
>
> > > To: <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
>
>
> > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
> <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
>
>
> > > Subject: [squid-users] Squid 3 SSL bump: Google drive
>
> application could not connect
>
>
>
>
>
>
>
> > > Hi gents,
>
>
>
>
>
>
>
> > > I found strange issue.
>
>
>
>
>
>
>
> > > Squid 3.4.10. Intercept. HTTPS bumping. All works fine.
>
> All configs correct.
>
>
>
>
>
>
>
> > > Whenever all web https sites works perfectly -
>
> especially in Chrome,
>
>
>
> > > most cloud clients works like charm (SpiderOak is!),
>
> Google Drive client
>
>
>
> > > application (PC) could not work.
>
>
>
> > > Note: Web Google Docs works. Web Google drive works.
>
>
>
>
>
>
>
> > > Note: Google support info - even I if pass dozen Google
>
> URL's without
>
>
>
> > > bump - cannot help. It doesn't work when server-first
>
> bumping is on and
>
>
>
> > > works othervise.
>
>
>
>
>
>
>
> > > So, the Serious Question is: Why? :)
>
>
>
>
>
>
>
> > > Any idea?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > _______________________________________________
>
>
>
> > > squid-users mailing list
>
>
>
> > > <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
>
>
> > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
> <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
>
>
> > >
>
> <http://lists.squid-cache.org/listinfo/squid-users>
<http://lists.squid-cache.org/listinfo/squid-users>
>
>
>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUowlmAAoJENNXIZxhPexG1ygH/RWXJIeFp4G/B39Ba/4yQ5XS
R/JmIkMaafDabBe5sPYVdwH7u25cIS7nKvVssme5TVmzcFAZuancr3ZV/ue9OtsH
jYwWSz/uHz76T6hKHmYB9uq3ESHQrasZ9WC2vfhYd0XR0mHxsn+zjPz34cKqlN5P
daeTbZGcrw/WyzJxMPRqjBX4nHNnvwb0mpo1htm3KS//yVdZMrNYMwqRR9DcBilE
rX5bkEjegnqmc7DM73XHu1Lz5SSeKCXttkcz2UAkP6aqRzAazjNBlObHASO9wYgq
RCsH/GvbNjJWyw7ZrvqxOnwOiMyJhV6L9h3uVM02NxsLzhnNutVl4dymzZHZf3Y=
=Ls1G
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141231/0219ac60/attachment-0001.html>
More information about the squid-users
mailing list