[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Daniel Greenwald dig at digcorp.net
Mon Jan 26 19:54:06 UTC 2015


hmm acc to how I read this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
The following *should* work, however in my test it bumps all and does not
splice.
Yuri- I believe, the domain name should be available at step2 after peeking
in step1.
Someone correct me?


acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump splice domains_nobump
ssl_bump peek step1 all
ssl_bump bump step2 all


-----------
Daniel I Greenwald



On Mon, Jan 26, 2015 at 12:53 PM, Yuri Voinov <yvoinov at gmail.com> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You can't use dstdomain ACL for disable bumping.
>
> Only dst with IP's.
>
> You don't know site FQDN before bump. :)
>
> 26.01.2015 23:48, Josep Borrell пишет:
> >
> > Hi all,
> >
> >
> >
> > Working on squid 3.5.1 with HTTPS interception.
> >
> > Trying to make a peek/splice configuration to work and avoid bank
> bumping.
> >
> > Until now bumping is working fine but can’t avoid to bump sites on acl.
> All are bumped.
> >
> > Can anybody share a working configuration or take a look at mine to find
> why is not working.
> >
> >
> >
> > Thanks
> >
> >
> >
> > Josep
> >
> >
> >
> > Squid.conf:
> >
> >
> >
> > #HTTPS (SSL) trafic interception options
> >
> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M
> 4MB
> >
> > sslcrtd_children 8 startup=1 idle=1
> >
> >
> >
> > acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
> >
> > acl step1 at_step SSLBump1
> >
> > acl step2 at_step SSLBump2
> >
> > acl step3 at_step SSLBump3
> >
> >
> >
> > ssl_bump peek step1 all
> >
> > ssl_bump splice step2 disable-ssl-bump
> >
> > ssl_bump stare step2 all
> >
> > ssl_bump splice step3 disable-ssl-bump
> >
> > ssl_bump bump step3 all
> >
> >
> >
> > http_access allow all
> >
> >
> >
> > http_port 3128
> >
> > http_port 8080 intercept
> >
> > https_port 8081 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem
> >
> >
> >
> > forward_max_tries 25
> >
> > cache_mem 2 GB
> >
> > maximum_object_size_in_memory 25 MB
> >
> > maximum_object_size 1 GB
> >
> >
> >
> > visible_hostname squid-v2
> >
> >
> >
> > workers 3
> >
> >
> >
> > coredump_dir /var/spool/squid3
> >
> > cache_replacement_policy heap LFUDA
> >
> > cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000
> >
> > cache_dir rock /var/spool/squid3/cache2 10000
> >
> >
> >
> > refresh_pattern ^ftp: 1440 20% 10080
> >
> > refresh_pattern ^gopher: 1440 0% 10080
> >
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> >
> > refresh_pattern . 0 80% 10080
> >
> >
> >
> > # FortiGate interface of wccp
> >
> > wccp2_router 192.168.111.1
> >
> > # wccp version 2 configuration
> >
> > wccp2_service standard 90
> >
> > # tunneling method GRE for forward traffic
> >
> > wccp2_forwarding_method gre
> >
> > # tunneling method GRE for return traffic
> >
> > wccp2_return_method gre
> >
> > # which interface to use for WCCP (0.0.0.0 determines the interface from
> routing)
> >
> > wccp2_address 0.0.0.0
> >
> >
> >
> > /etc/squid3/no-ssl-bump.acl file:
> >
> > .bancsabadell.com
> >
> > .lacaixa.com
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUxn8sAAoJENNXIZxhPexGQ5UIAJYWDE+L0pWR/cn3SNWZkpGt
> LIBXoFsw7DGtvKD1ieu6WVAmHwf784ZrZpKtSUY7IW4/UBOdsLZtPeSe9WYmtBW6
> mDLTxeQbrY7b2Xp3vnYGtw3nskYFOdR2SOeTqzcL82Pj/D0IChKgTxxt3z4Uv3it
> 1VKgV4fOBwiYd9ib2PBPeIEfVv7ZQLfgtr8+sTnHsxMLZjXuugokVpLtsRBiCukY
> Dg6G7iyap4gPDn66GpsE7LgMbJYDIyRkWle8M55EgK12yspM6LuDTcyMOCfiNOZa
> LMwyZhFbVh1XxS+2b2mBnmZtqKO3ylgGki6R/FRFUuZLgPhGidUena3vZgJBDbw=
> =Q0Yt
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150126/40588547/attachment-0001.html>


More information about the squid-users mailing list