[squid-users] 3.5.4 need more help with peek and splice and external helper
Stanford Prescott
stan.prescott at gmail.com
Wed May 6 22:58:49 UTC 2015
I have still been trying to get peek and splice to work. Specifically I
want to allow the admins of our firewall distro to enter websites that they
do not want to bump on the squid UI page. I have been fiddling with info
that Amos and Nathan have provided me but with no success so far. Here is a
snippet of squid.conf with most of the pertinent SSL configuration.
*http_access allow localhostgreen*
*http_access allow CONNECT localhostgreen*
*# http_port and https_port*
*#----------------------------------------------------------------------------*
*http_port 192.168.100.1:800 <http://192.168.100.1:800> intercept*
*https_port 192.168.100.1:808 <http://192.168.100.1:808> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem*
*http_port 127.0.0.1:800 <http://127.0.0.1:800> intercept*
*sslproxy_cert_error allow all*
*sslproxy_flags DONT_VERIFY_PEER*
*sslproxy_session_cache_size 4 MB*
*ssl_bump none localhostgreen*
*external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /var/smoothwall/mods/proxy/libexec/bumphelper*
*acl sni_exclusions external sni*
*acl tcp_level at_step SslBump1*
*acl client_hello_peeked at_step SslBump2*
*ssl_bump none localhostgreen*
*ssl_bump peek tcp_level all*
*ssl_bump splice client_hello_peeked sni_exclusions*
*ssl_bump bump all*
*sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB*
*sslcrtd_children 5*
These were provided by Nathan to try. He also provided an example helper
script in python to try, but our distro doesn't grok python so I tried to
get it translated to perl and this what I came up with.
*#!/usr/bin/perl*
*# run loop until an empty read, which indicates the process should shut
down.*
*while (<STDIN>)*
*{*
* my ($concurrency_id, $sni) = split;*
* if ($sni eq 'wellsfargo.com <http://wellsfargo.com>')*
* {*
* print "$concurreny_id OK\n";*
* }*
* else*
* {*
* print "$concurreny_id ERR\n";*
* }*
*}*
When I start Squid with this configuration, the helper script "bumphelper"
gets loaded as a process along with squid and ssl_crtd. When I try to
browse any SSL websites there is no connection and it times out. HTTP
browsing is fine. When I remove those peek and splice related lines and add
"ssl_bump server-first all" back to squid conf then bumping of SSL sites is
successful.
I suspect my "bumphelper" script is not doing what I intend it to do.
Suggestions very welcome.
Stan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150506/b7738ccb/attachment-0001.html>
More information about the squid-users
mailing list