[squid-users] Squid 3 SSL bump: Google drive application could not connect

Yuri Voinov yvoinov at gmail.com
Tue Dec 30 20:32:07 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
No problem. ;)

31.12.2014 2:30, Rafael Akchurin пишет:
>
> Perfect thanks a lot!!!
>
> Raf :)
>
> 
>
> *From:*Yuri Voinov [mailto:yvoinov at gmail.com]
> *Sent:* Tuesday, December 30, 2014 9:23 PM
> *To:* Rafael Akchurin; squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
> 
>
>
> WCCP only, of course. To reduce Cisco CPU usage.
>
> Also, iOS version 15.4 with SECURITYK9 techno pack activated.
>
> 31.12.2014 2:21, Rafael Akchurin пишет:
>
>
>       > Just for me to completely clarify:
>
>
>
>
>
>
>
>       > - how exactly your Squid gets the traffic from your clients?
>
>       (explicit proxy or cisco WCCP?)
>
>
>
>
>
>
>
>       > raf
>
>
>
>       > *From:*Yuri Voinov [mailto:yvoinov at gmail.com]
>
>       > *Sent:* Tuesday, December 30, 2014 9:16 PM
>
>       > *To:* Rafael Akchurin; squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
>       > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
>
>       application could not connect
>
>
>
>
>
>
>
>
>
>       > To finalize a solution,
>
>
>
>       > see the our favorite:
>
>
>
>
>
>       http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html
>
>
>
>       > Why use iptables, ipfilter,Cisco, etc?!
>
>
>
>       > Only Squid, only hardcore!
>
>
>
>       > Revert cisco config back:
>
>
>
>       > R2911(config)#no access-list 121
>
>       > R2911(config)#access-list 121 remark ACL for HTTPS WCCP
>
>       > R2911(config)#access-list 121 remark Squid proxies bypass
>
>       > R2911(config)#access-list 121 deny   ip host 192.168.200.3
>
>       any
>
>       > R2911(config)#access-list 121 deny   ip host 192.168.100.251
>
>       any
>
>       > R2911(config)#access-list 121 remark Videoserver
>
>       > R2911(config)#access-list 121 deny   ip host 192.168.200.5
>
>       any
>
>       > R2911(config)#access-list 121 remark LAN clients proxy port
>
>       443
>
>       > R2911(config)#access-list 121 permit tcp 192.168.0.0
>
>       0.0.255.255 any eq 443
>
>       > R2911(config)#access-list 121 remark all others bypass WCCP
>
>       > R2911(config)#access-list 121 deny   ip any any
>
>       > R2911(config)#^Z
>
>       > R2911#wr
>
>       > Building configuration...
>
>       > [OK]
>
>
>
>       > Write acl file with IP/net with SSL Pinning:
>
>
>
>       > root @ ktulhu /usr/local/squid/etc # cat dst.nobump
>
>       > # BCC bypass
>
>       > 91.198.63.0/24
>
>       > # Salyk bypass
>
>       > 212.154.165.148/32
>
>       > # WU bypass
>
>       > 191.232.0.0/13
>
>       > 65.52.0.0/14
>
>       > # Symantec bypass
>
>       > 195.215.221.99/32
>
>       > 195.215.221.104/32
>
>       > 213.248.114.172/32
>
>       > 213.248.114.173/32
>
>       > 213.248.114.174/32
>
>       > 213.248.114.175/32
>
>       > 77.67.22.168/32
>
>       > 77.67.22.171/32
>
>       > 77.67.22.173/32
>
>       > 213.248.114.171/32
>
>
>
>       > Add needful nets/apps to acl by your taste.
>
>
>
>       > Add to squid config:
>
>
>
>       > # SSL bump acl
>
>       > acl net_bump src "/usr/local/squid/etc/net.bump"
>
>       > # HTTP-use 443 port apps
>
>       > acl url_nobump dstdom_regex \.icq\.*
>
>       > # SSL Pinning servers. Only ip-based dst acl!
>
>       > acl dst_nobump dst "/usr/local/squid/etc/dst.nobump"
>
>
>
>       > # SSL bump rules
>
>       > sslproxy_cert_error allow all
>
>       > ssl_bump none localhost
>
>       > ssl_bump none url_nobump
>
>       > ssl_bump none dst_nobump
>
>       > ssl_bump server-first net_bump
>
>
>
>       > Yahooo! The same result with Squid only!
>
>
>
>       > 30.12.2014 23:39, Rafael Akchurin пишет:
>
>       > > SSL Pinning
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUowvHAAoJENNXIZxhPexGdMwH/28FtXnzlefKyuPNgvvLBJ2B
dd/slXF1TbXhBi60S6jfXe/Vlbd9iAeTc4zP6WaR7XJEty3jXDCKQ/TISNDhXyRg
3tB/Ycg1ondWuAqPZsLTlrmttGDSkOgPOamL+kkGbbfyim6xdv/y9ZcH1QEz2Ibr
ToRRXENsbuFWgpZchrNtDrDtOpAUwBkNKLyOkdE1t1dX4g9BKq0PLq054oqx/vmG
G4ErEoUSqKWgWG2aOCk3l6GIJQwbcj13qLDKcKFRQEyCYRZ07sf5PcSk1A2J1jTt
vJzTMse05mOt/fZdhp0Sf+w5rw8kg0oMv7szyVZjXqnuiwKgOYabjwFje42NkOQ=
=TYok
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141231/aa7b0697/attachment.html>

More information about the squid-users mailing list