[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Josep Borrell jborrell at central.aplitec.com
Mon Jan 26 17:48:05 UTC 2015


Hi all,

Working on squid 3.5.1 with HTTPS interception.
Trying to make a peek/splice configuration to work and avoid bank bumping.
Until now bumping is working fine but can't avoid to bump sites on acl. All are bumped.
Can anybody share a working configuration or take a look at mine to find why is not working.

Thanks

Josep

Squid.conf:

#HTTPS (SSL) trafic interception options
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1

acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
acl step1 at_step SSLBump1
acl step2 at_step SSLBump2
acl step3 at_step SSLBump3

ssl_bump peek step1 all
ssl_bump splice step2 disable-ssl-bump
ssl_bump stare step2 all
ssl_bump splice step3 disable-ssl-bump
ssl_bump bump step3 all

http_access allow all

http_port 3128
http_port 8080 intercept
https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem

forward_max_tries 25
cache_mem 2 GB
maximum_object_size_in_memory 25 MB
maximum_object_size 1 GB

visible_hostname squid-v2

workers 3

coredump_dir /var/spool/squid3
cache_replacement_policy heap LFUDA
cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000
cache_dir rock /var/spool/squid3/cache2 10000

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 80% 10080

# FortiGate interface of wccp
wccp2_router 192.168.111.1
# wccp version 2 configuration
wccp2_service standard 90
# tunneling method GRE for forward traffic
wccp2_forwarding_method gre
# tunneling method GRE for return traffic
wccp2_return_method gre
# which interface to use for WCCP (0.0.0.0 determines the interface from routing)
wccp2_address 0.0.0.0

/etc/squid3/no-ssl-bump.acl file:
.bancsabadell.com
.lacaixa.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150126/592e43ac/attachment.html>


More information about the squid-users mailing list