[squid-users] Correctly implementing peak-splice
James Lay
jlay at slave-tothe-box.net
Wed Nov 5 12:40:21 UTC 2014
On Wed, 2014-11-05 at 12:24 +0200, Christos Tsantilas wrote:
> On 11/04/2014 02:26 PM, James Lay wrote:
> >
> > Thanks a bunch Christos,
> >
> > That list of IP's is things like apple.com, textnow.me, and windows
> > updates...IP's that simply don't bump well. My setup is a linux box
> > that's a router...one NIC internal IP, the other external IP. Via
> > iptables redirect, I'm transparently intercepting the web traffic of a
> > few devices, only allowing them access to the list of sites in url.txt.
> > At issue with using the broken_sites list, is that I have to just
> > specify large chucks of netblocks, which I lose control and visibility
> > of. What I'm really hoping for is for a way for squid to be able to, in
> > my case at least, look at either the server_name extension in the Client
>
> You need to build your own external_acl helper which will take as input
> the client sni (server_name extension). Read squid wiki for informations
> about external acl helpers:
> http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29
>
> It is easy to build one in perl or as a shell script. I am suggesting to
> build an external_acl helper which return "OK" when the sni matches or
> no sni information exist.
>
> You can use the following configuration or similar:
> #
> external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh
> acl EXTACL external EXTACL
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> # At first step peek all
> ssl_bump peek step1 all
> ssl_bump splice step2 EXTACL
> ssl_bump bump all
>
>
> > Hello, or, if that's not present, look at the dNSName of certificate
> > being sent, check the access against url.txt, and either allow or deny.
>
> In your case the server certificate informations will not work well. At
> the time this information is available:
> 1) in peek mode, you can not bump any more
> 2) in stare mode, you can not splice any more.
> There are exceptions to the above rules (for example in case the client
> uses the same SSL library with squid) but the SSL protocol is enough
> safe to not allow us to make something better than this.
>
> Regards,
> Christos
>
> >
> > Ssl_bump does work well for most sites...and I understand we are
> > performing a man in the middle attack so it's not supposed to be easy.
> > Again my hope isn't really to perform a mitm...more of an access control
> > type thing. Thanks again Christos...I hope I explained this well
> > enough.
> >
> > James
> >
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Thanks so much Christos for taking time with this. I'll give the helper
a go and report my results here.
James
More information about the squid-users
mailing list