[squid-users] Squid, Gmail.com and HSTS.

Michael Monette mmonette at 2keys.ca
Wed May 27 16:23:33 UTC 2015


I just thought of something else. First of all I'm new to squid and I am not aware of 10% of the things its capable of yet so I will ask. 

Is squid capable of adding custom SNIs? Like could I have it so gmail.com is added to the certificate as a subject alternate name EVEN though the original certificate doesn't contain it? If such a thing is possible I would love to know the term for it so I can do some searches. 

Appreciate it!

On May 27, 2015 12:15:37 PM EDT, Michael Monette <mmonette at 2keys.ca> wrote:
>Has anyone been able to configure Squid in a way so that if you type
>https://gmail.com in your browser, you are NOT presented with the "OMG
>HSTS I refuse to load anything" page? When I go to https://gmail.com, I
>get an invalid certificate because the cert is for mail.google.com,
>issued by my CA. If I go to https://mail.google.com, the cert is
>beautifully green. Why can't squid detect that gmail.com is redirecting
>my browser to mail.google.com and generate the cert accordingly?
>
>Even configuring an acl for gmail.com doesn't work. It seems like even
>though I am punching https://gmail.com in my browser, Squid detects it
>as though I am typing "https://mail.google.com" in my browser and is
>ignoring any ACLs I have setup specifically for "gmail.com".
>
>I can't be the only one with this issue?
>
>
>
>I've also attempted to do:
>
>acl bl1 gmail.com moz.com
>always_direct allow bl1 <- from what I understand this bypasses squid
>and tells my browser to get the cert right from the site. Maybe I am
>wrong.
>
>But certificates still come from Squid, so I don't see any effect from
>that line.
>
>Here's my config, lots of garbage in there since I have been trying
>everything i can think of to get this working. I want to add that for
>my acl called BL1, the only one that works is moz.com . They are part
>of the same ACL line, so if one works, they should all work. Except
>they do not.
>
>Thanks in advance.
>
>cat /etc/squid/squid.conf
>
>~~
>
>debug_options ALL,9
>
>acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
>acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
>acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
>acl localnet src fc00::/7       # RFC 4193 local private network range
>acl localnet src fe80::/10      # RFC 4291 link-local (directly
>plugged) machines
>
>acl SSL_ports port 443
>acl Safe_ports port 80		# http
>acl Safe_ports port 21		# ftp
>acl Safe_ports port 443		# https
>acl Safe_ports port 70		# gopher
>acl Safe_ports port 210		# wais
>acl Safe_ports port 1025-65535	# unregistered ports
>acl Safe_ports port 280		# http-mgmt
>acl Safe_ports port 488		# gss-http
>acl Safe_ports port 591		# filemaker
>acl Safe_ports port 777		# multiling http
>acl CONNECT method CONNECT
>
>
>http_access deny !Safe_ports
>
>http_access deny CONNECT !SSL_ports
>
>http_access allow localhost manager
>http_access deny manager
>
>acl step1 at_step SslBump1
>acl step2 at_step SslBump2
>acl step3 at_step SslBump3
>
>ssl_bump peek step1 all
>ssl_bump bump step2 all
>ssl_bump bump step3 all
>
>acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com
>#acl bl1 url_regex -i ^http(s)?://gmail.com
>#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.*
>#acl bl3 url_regex -i ^http(s)?://moz.com.*
>#acl bl4 url_regex -i moz.com
>deny_info http://ask.com bl1 # I was testing redirecting stuff, but
>since the acl is not even picked up, this stuff is useless.
>http_reply_access deny bl1 # useless
>#http_access deny bl1 
>#http_access deny bl1 CONNECT
>
>http_access allow localnet
>http_access allow localhost
>
>http_access allow all
>
>http_port 3128 accel vhost allow-direct
>
>#https_port 3129 transparent ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
>key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
>https_port 3129 intercept ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
>key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
>
>sslproxy_cert_error allow all
>sslproxy_flags DONT_VERIFY_PEER
>
>sslproxy_options NO_SSLv2
>sslproxy_options NO_SSLv3
>
>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>sslcrtd_children 8 startup=1 idle=1
>
>#cache_dir ufs /var/spool/squid 100 16 256
>coredump_dir /var/spool/squid
>
>refresh_pattern ^ftp:		1440	20%	10080
>refresh_pattern ^gopher:	1440	0%	1440
>refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
>refresh_pattern .		0	20%	4320
>
>
>Mike
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150527/92b9fa63/attachment.html>


More information about the squid-users mailing list