[squid-users] ssl_crtd breaks after short time
Klavs Klavsen
kl at vsen.dk
Tue Jun 9 06:44:13 UTC 2015
Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in how http_access
rules are applied to bumped connections?
What I noted was:
Instead of having:
http_access allow CONNECT bumpedPorts
he has:
http_access allow SSL_ports
which somehow seems to work instead.
He only uses http_access allow rules for http sites.. he filters https
on domain only - using:
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump bump allowed_https_sites
ssl_bump terminate !allowed_https_sites
in my access log - using james lay's format - squid only logs CONNECT..
so it seems its not registering the step AFTER CONNECT as something
seperate - which would explain why its not applying http_access
filtering to it ?
10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:40:19 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28295 TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:42:30 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28258 TCP_TUNNEL:ORIGINAL_DST peek
Amos Jeffries wrote on 06/05/2015 12:18 AM:
> On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
>> I would be perfectly fine with allowing the SSL bumping to finish for
>> ALL https sites - and then only block when the http request comes..
>>
>> I'm hoping someone can tell me what I've done wrong in my config.. I'm
>> obviously not understanding how it works when https is envolved.. it
>> works as intended with http..
>
> It should be working. I'm a bit confused myself now why that CONNECT
> line would be matching the decrypted requests, they definitely should
> not be having the CONNECT request method as they are destined to an
> origin server.
>
> We've missed something basic, and will probably kick ourselves at how
> simple when its reavealed. :-(
> All I can think of now is that James log format should be indicating
> more clearly whats going on than the default Squid one will.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list