[squid-users] Squid 3.5.10 SSL Bump whitelist domains

luizcasey at gmail.com luizcasey at gmail.com
Thu Oct 22 14:01:51 UTC 2015


Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on.

https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key
http_port 3401 intercept

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid

cache deny all < — No caching.

acl step1 at_step SslBump1 <— What is this doing ??
acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for SSL 

ssl_bump peek step1   <— Try to find server_name ?
ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let it through
ssl_bump bump net_bump <— ??? This I don’t get since there is no net_bump acl ? Should this just be all ?
ssl_bump splice all <— Splice everything else that couldn’t be bumped ??

acl http proto http  <— Allow http photo
acl whitelist dstdomain "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for http

acl https proto https  <— Allow https 
acl port_80 port 80  <— Allow port 80. Is this redundant ??
acl port_443 port 443 < — Allow port 443. Is this redundant ??

http_access allow http port_80 whitelist    <— Allow whitelisted domains on port 80 
http_access allow https port_443 whitelist_ssl <— Allow whitelisted domains on 443

http_access deny al <— Deny all 


#######LOGS

2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log squid
2015/10/22 09:41:10| Processing: cache deny all
2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1
2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains"
2015/10/22 09:41:10| Processing: ssl_bump peek step1
2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl
2015/10/22 09:41:10| Processing: ssl_bump bump net_bump     <——— I assume again this is because no all for net_bump.
2015/10/22 09:41:10| ACL not found: net_bump
FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump
Squid Cache (Version 3.5.10): Terminated abnormally.
CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys
Maximum Resident Size: 26208 KB
Page faults with physical i/o: 0


If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts up but it still fails to allow any https through even those on the whitelist_ssl file but allows http to those domains. Not sure what I am doing wrong here.


> On Oct 21, 2015, at 8:16 PM, luizcasey at gmail.com wrote:
> 
> Alex,
> So what do you recommend to do here ? I just need a simple whitelist file for both http/https. I have a config that works on 3.4 but would like to upgrade to 3.5 and the current config we have won't cut it. Just need a simple if you are in this list allow if not deny. No need for any ssl validation or anything.
> 
>> On Oct 21, 2015, at 6:49 PM, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>> 
>>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>>> 
>>> Working config snippet for 3.5.x looks like this:
>>> 
>>> ssl_bump peek get_sni_at_step1
>>> ssl_bump splice spliced_hosts
>>> ssl_bump bump net_bump
>> 
>> 
>> The above config leaves the following question unanswered:
>> 
>> Q: What happens if neither spliced_hosts nor net_bump match at bumping
>> step #2?
>> 
>> 
>> Leaving questions unanswered is a bad idea for ssl_bump rules because
>> defaults are complex (and used to be broken). To answer that question
>> (instead of forcing Squid to guess the answer), add a forth catch-all
>> rule. For example, this is how the latest Squids would guess:
>> 
>> ssl_bump peek step1
>> ssl_bump splice spliced_hosts
>> ssl_bump bump net_bump
>> ssl_bump splice all
>> 
>> 
>> If spliced_hosts ACL negation works reliably, then the above is
>> equivalent to:
>> 
>> ssl_bump peek step1
>> ssl_bump bump !spliced_hosts net_bump
>> ssl_bump splice all
>> 
>> but I recommend avoiding ACL negation in the actual rules.
>> 
>> 
>> Finally, please make sure your http_access rules correctly handle
>> CONNECT requests (real for forwarded connections and fake ones for
>> intercepted connections). This may be difficult to do right now due to
>> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
>> 
>> 
>> HTH,
>> 
>> Alex.
>> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
>> that ACL itself does not know anything about SNI and does not force
>> Squid to get SNI.



More information about the squid-users mailing list