[squid-users] Squid 3.5.10 SSL Bump whitelist domains
Yuri Voinov
yvoinov at gmail.com
Thu Oct 22 14:08:57 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
BTW - you omit many important settings from squid.conf.default. You
configuration is so dangerous.
22.10.15 20:01, luizcasey at gmail.com пишет:
> Here is the config I am currently using based on your suggestion earlier. However it does not
start. I have also added some questions to each for verification
purposes to make sure I am understanding what is actually going on.
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
> http_port 3401 intercept
>
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
> access_log /var/log/squid/access.log squid
>
> cache deny all < — No caching.
>
> acl step1 at_step SslBump1 <— What is this doing ??
> acl whitelist_ssl ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for
SSL
>
> ssl_bump peek step1 <— Try to find server_name ?
> ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let
it through
> ssl_bump bump net_bump <— ??? This I don’t get since there is no
net_bump acl ? Should this just be all ?
> ssl_bump splice all <— Splice everything else that couldn’t be bumped ??
>
> acl http proto http <— Allow http photo
> acl whitelist dstdomain
"/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for
http
>
> acl https proto https <— Allow https
> acl port_80 port 80 <— Allow port 80. Is this redundant ??
> acl port_443 port 443 < — Allow port 443. Is this redundant ??
>
> http_access allow http port_80 whitelist <— Allow whitelisted
domains on port 80
> http_access allow https port_443 whitelist_ssl <— Allow whitelisted
domains on 443
>
> http_access deny al <— Deny all
>
>
> #######LOGS
>
> 2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log
squid
> 2015/10/22 09:41:10| Processing: cache deny all
> 2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1
> 2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains"
> 2015/10/22 09:41:10| Processing: ssl_bump peek step1
> 2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl
> 2015/10/22 09:41:10| Processing: ssl_bump bump net_bump <——— I
assume again this is because no all for net_bump.
> 2015/10/22 09:41:10| ACL not found: net_bump
> FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump
> Squid Cache (Version 3.5.10): Terminated abnormally.
> CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys
> Maximum Resident Size: 26208 KB
> Page faults with physical i/o: 0
>
>
> If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts
up but it still fails to allow any https through even those on the
whitelist_ssl file but allows http to those domains. Not sure what I am
doing wrong here.
>
>
>> On Oct 21, 2015, at 8:16 PM, luizcasey at gmail.com wrote:
>>
>> Alex,
>> So what do you recommend to do here ? I just need a simple whitelist
file for both http/https. I have a config that works on 3.4 but would
like to upgrade to 3.5 and the current config we have won't cut it. Just
need a simple if you are in this list allow if not deny. No need for any
ssl validation or anything.
>>
>>> On Oct 21, 2015, at 6:49 PM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>>>
>>>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>>>>
>>>> Working config snippet for 3.5.x looks like this:
>>>>
>>>> ssl_bump peek get_sni_at_step1
>>>> ssl_bump splice spliced_hosts
>>>> ssl_bump bump net_bump
>>>
>>>
>>> The above config leaves the following question unanswered:
>>>
>>> Q: What happens if neither spliced_hosts nor net_bump match at bumping
>>> step #2?
>>>
>>>
>>> Leaving questions unanswered is a bad idea for ssl_bump rules because
>>> defaults are complex (and used to be broken). To answer that question
>>> (instead of forcing Squid to guess the answer), add a forth catch-all
>>> rule. For example, this is how the latest Squids would guess:
>>>
>>> ssl_bump peek step1
>>> ssl_bump splice spliced_hosts
>>> ssl_bump bump net_bump
>>> ssl_bump splice all
>>>
>>>
>>> If spliced_hosts ACL negation works reliably, then the above is
>>> equivalent to:
>>>
>>> ssl_bump peek step1
>>> ssl_bump bump !spliced_hosts net_bump
>>> ssl_bump splice all
>>>
>>> but I recommend avoiding ACL negation in the actual rules.
>>>
>>>
>>> Finally, please make sure your http_access rules correctly handle
>>> CONNECT requests (real for forwarded connections and fake ones for
>>> intercepted connections). This may be difficult to do right now due to
>>> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
>>> that ACL itself does not know anything about SNI and does not force
>>> Squid to get SNI.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWKO35AAoJENNXIZxhPexG2fkIAIJRTaEZbyGYsJqkoxuBAgCh
g0MR3IUGM6gFFD8uceSrHdbiukOf9+v57BSIoPF5CursDOXIQUmdSzJrjetkfSoy
MQ59E/1QePk6BIt9JpwgIPG5RxxC0kel0bLcZ9SM/gWfDnL9BJVndvZnVQNCTXva
d7JbCbHn2mhADa1ibi7HRQ+dk5a4Ma4ubrUnOV3sSfAgTatSGKHH9W/qzPFOa2hO
jLKzSORdrmbKEShP98outB2K3aUWmN0Ap8cPqtYvicrhQV58LDOnpmepqtXeSzuX
2tsr/YnzHsesz2EWpVoY/1Kj55NFwqZ2vRooqkX5yq7pLua2HK46a6aJ1NOeFG8=
=cX9r
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list