[squid-users] HTTPS intercept, simple configuration to avoid bank bumping

Yuri Voinov yvoinov at gmail.com
Mon Jan 26 19:58:05 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
In theory.

I don't see any 3.5.x bump working yet.

In 3.4.x bumping not chunked to stages and only IP-based dst acls will
working.

27.01.2015 1:54, Daniel Greenwald пишет:
> hmm acc to how I read this page: http://wiki.squid-cache.org/Features/SslPeekAndSplice
> The following *should* work, however in my test it bumps all and does
not splice.
> Yuri- I believe, the domain name should be available at step2 after
peeking in step1.
> Someone correct me?
> 
>
> acl domains_nobump dstdomain "/etc/squid/domains_nobump.acl"
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump splice domains_nobump
> ssl_bump peek step1 all
> ssl_bump bump step2 all
>
>
> -----------
> Daniel I Greenwald
>
>
>
> On Mon, Jan 26, 2015 at 12:53 PM, Yuri Voinov <yvoinov at gmail.com
<mailto:yvoinov at gmail.com>> wrote:
>
>
> You can't use dstdomain ACL for disable bumping.
>
> Only dst with IP's.
>
> You don't know site FQDN before bump. :)
>
> 26.01.2015 23:48, Josep Borrell пишет:
>
> > Hi all,
>
>
>
> > Working on squid 3.5.1 with HTTPS interception.
>
> > Trying to make a peek/splice configuration to work and avoid bank
bumping.
>
> > Until now bumping is working fine but can’t avoid to bump sites on
acl. All are bumped.
>
> > Can anybody share a working configuration or take a look at mine to
find why is not working.
>
>
>
> > Thanks
>
>
>
> > Josep
>
>
>
> > Squid.conf:
>
>
>
> > #HTTPS (SSL) trafic interception options
>
> > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb
-M 4MB
>
> > sslcrtd_children 8 startup=1 idle=1
>
>
>
> > acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
>
> > acl step1 at_step SSLBump1
>
> > acl step2 at_step SSLBump2
>
> > acl step3 at_step SSLBump3
>
>
>
> > ssl_bump peek step1 all
>
> > ssl_bump splice step2 disable-ssl-bump
>
> > ssl_bump stare step2 all
>
> > ssl_bump splice step3 disable-ssl-bump
>
> > ssl_bump bump step3 all
>
>
>
> > http_access allow all
>
>
>
> > http_port 3128
>
> > http_port 8080 intercept
>
> > https_port 8081 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem
>
>
>
> > forward_max_tries 25
>
> > cache_mem 2 GB
>
> > maximum_object_size_in_memory 25 MB
>
> > maximum_object_size 1 GB
>
>
>
> > visible_hostname squid-v2
>
>
>
> > workers 3
>
>
>
> > coredump_dir /var/spool/squid3
>
> > cache_replacement_policy heap LFUDA
>
> > cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000
>
> > cache_dir rock /var/spool/squid3/cache2 10000
>
>
>
> > refresh_pattern ^ftp: 1440 20% 10080
>
> > refresh_pattern ^gopher: 1440 0% 10080
>
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> > refresh_pattern . 0 80% 10080
>
>
>
> > # FortiGate interface of wccp
>
> > wccp2_router 192.168.111.1
>
> > # wccp version 2 configuration
>
> > wccp2_service standard 90
>
> > # tunneling method GRE for forward traffic
>
> > wccp2_forwarding_method gre
>
> > # tunneling method GRE for return traffic
>
> > wccp2_return_method gre
>
> > # which interface to use for WCCP (0.0.0.0 determines the interface
from routing)
>
> > wccp2_address 0.0.0.0
>
>
>
> > /etc/squid3/no-ssl-bump.acl file:
>
> > .bancsabadell.com <http://bancsabadell.com>
>
> > .lacaixa.com <http://lacaixa.com>
>
>
>
>
>
>
>
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUxpxMAAoJENNXIZxhPexG43IH/Rk6elTzB7xFtG7wNx+juAHC
9MdVKxR6QFnlBWn/A6KNWZK1vNCv6+N3n2RPD6OUCPiLrEQIA2h20BceEjMYkM1A
Fw6Gk+ImowMJ2K6H5+X5MKFwvOLsaKtO8Tm4b299+42Xkvg2oFxFO0BeX8GJaWAm
aq4NsUN6pzJK51CRTKe5ZwGpJ2kN0rtgDaILAV1shX3jnWnrWJMV41ZJGLtWEnDX
pZ45unu1qjVDOs6ibaFDDX6ehWnfXh/WhLq0TwWPu0AaoCn28Sid0Y3V/4ShKFpH
EP2Jgs10Oyi7/Ph7o4RtFGONUNhVGrl2QdftM+MOZPsCvRIrYF4pff5gjd0R8EU=
=Xdb5
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150127/e50407de/attachment.html>


More information about the squid-users mailing list