[squid-users] Squid 3 SSL bump: Google drive application could not connect

Rafael Akchurin rafael.akchurin at diladele.com
Tue Dec 30 20:30:50 UTC 2014


Perfect thanks a lot!!!
Raf :)

From: Yuri Voinov [mailto:yvoinov at gmail.com]
Sent: Tuesday, December 30, 2014 9:23 PM
To: Rafael Akchurin; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WCCP only, of course. To reduce Cisco CPU usage.

Also, iOS version 15.4 with SECURITYK9 techno pack activated.

31.12.2014 2:21, Rafael Akchurin пишет:
>

      > Just for me to completely clarify:

      >

      >

      >

      > - how exactly your Squid gets the traffic from your clients?
      (explicit proxy or cisco WCCP?)

      >

      >

      >

      > raf

      >

      > *From:*Yuri Voinov [mailto:yvoinov at gmail.com]

      > *Sent:* Tuesday, December 30, 2014 9:16 PM

      > *To:* Rafael Akchurin; squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>

      > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
      application could not connect

      >

      >

      >

      >

      > To finalize a solution,

      >

      > see the our favorite:

      >

      >
      http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html

      >

      > Why use iptables, ipfilter,Cisco, etc?!

      >

      > Only Squid, only hardcore!

      >

      > Revert cisco config back:

      >

      > R2911(config)#no access-list 121

      > R2911(config)#access-list 121 remark ACL for HTTPS WCCP

      > R2911(config)#access-list 121 remark Squid proxies bypass

      > R2911(config)#access-list 121 deny   ip host 192.168.200.3
      any

      > R2911(config)#access-list 121 deny   ip host 192.168.100.251
      any

      > R2911(config)#access-list 121 remark Videoserver

      > R2911(config)#access-list 121 deny   ip host 192.168.200.5
      any

      > R2911(config)#access-list 121 remark LAN clients proxy port
      443

      > R2911(config)#access-list 121 permit tcp 192.168.0.0
      0.0.255.255 any eq 443

      > R2911(config)#access-list 121 remark all others bypass WCCP

      > R2911(config)#access-list 121 deny   ip any any

      > R2911(config)#^Z

      > R2911#wr

      > Building configuration...

      > [OK]

      >

      > Write acl file with IP/net with SSL Pinning:

      >

      > root @ ktulhu /usr/local/squid/etc # cat dst.nobump

      > # BCC bypass

      > 91.198.63.0/24

      > # Salyk bypass

      > 212.154.165.148/32

      > # WU bypass

      > 191.232.0.0/13

      > 65.52.0.0/14

      > # Symantec bypass

      > 195.215.221.99/32

      > 195.215.221.104/32

      > 213.248.114.172/32

      > 213.248.114.173/32

      > 213.248.114.174/32

      > 213.248.114.175/32

      > 77.67.22.168/32

      > 77.67.22.171/32

      > 77.67.22.173/32

      > 213.248.114.171/32

      >

      > Add needful nets/apps to acl by your taste.

      >

      > Add to squid config:

      >

      > # SSL bump acl

      > acl net_bump src "/usr/local/squid/etc/net.bump"

      > # HTTP-use 443 port apps

      > acl url_nobump dstdom_regex \.icq\.*

      > # SSL Pinning servers. Only ip-based dst acl!

      > acl dst_nobump dst "/usr/local/squid/etc/dst.nobump"

      >

      > # SSL bump rules

      > sslproxy_cert_error allow all

      > ssl_bump none localhost

      > ssl_bump none url_nobump

      > ssl_bump none dst_nobump

      > ssl_bump server-first net_bump

      >

      > Yahooo! The same result with Squid only!

      >

      > 30.12.2014 23:39, Rafael Akchurin пишет:

      > > SSL Pinning

      >

      >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUowmnAAoJENNXIZxhPexGEtwH/10nuDG9+Z7AG2W+nh64X7JV
5JmvvaC778yUYnMUaPJTLPK3hxVuQshVMaE2x4jhuxBEkhtKPWBJZg8JFLFinzf5
nDINk8zz0j4fLCXmDAJaXz2NMacUviCiKFY8k63SumxKeTIBU20DuLk9glggTpfY
3RgdNWfvmma9iv8QW/s2UJFbRdJS0cLjra4XFFQBZLyGEJPTOcft3slWX3QgHVCD
SB3CZWy2gwbLVphiCiG91HxBtUUUzSLqPc60RdSwOCoSOaBMHZgy8yjZ8VRgQkyi
uz41hhp1mCMfssNjoLdCvr/AxJG990yQ24MiCDuzN9fYVNzUPdXF+q4E5G/avtk=
=FkuL
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141230/82d71488/attachment-0001.html>


More information about the squid-users mailing list