[squid-users] Safesearch: blocking Google images error

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 4 19:09:50 UTC 2015


On 5/09/2015 5:48 a.m., Stanford Prescott wrote:
> I have tried to enable safe searching with Squid 3.5.7 using ssl-bump
> splice but when I enable it, browsing to https://google.com generates a
> Squid error page saying there is no valid certificate. Browsing to all
> other https sites loads the pages correctly and all other SSL-bump sites
> get bumped and displayed correctly.
> 
> Has anyone had any luck getting this to work? Here is the relevant
> squid.conf entries
> 

Please use 3.5.8. The ssl_bump behaviour got some more important fixes
recently.


> 
> acl s1_tls_connect at_step SslBump1
> acl s2_tls_client_hello at_step SslBump2
> acl s3_tls_server_hello at_step SslBump3
> 
> acl tls_server_name_is_ip ssl::server_name_regex \
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n

You have a letter 'n' on the end there is that intentional?

> 
> acl google ssl::server_name .google.com
> ssl_bump peek s1_tls_connect all
> 
> acl nobumpSites ssl::server_name .wellsfargo.com
> 
> ssl_bump splice s2_tls_client_hello nobumpSites
> ssl_bump splice s2_tls_client_hello google
> 
> ssl_bump stare s2_tls_client_hello all
>
> ssl_bump bump s3_tls_server_hello all
> 
> cache_peer forcesafesearch.google.com parent 443 0 \
> ssl name=GS originserver \
> no-query no-netdb-exchange no-digest
> 
> acl search dstdomain .google.com
> cache_peer_access GS allow search
> cache_peer_access GS deny all

I think the fake-CONNECT Squid creates still has only raw-IP:port
details. And with splicing you dont have the decrypt to setup dstdomain
URL details.

For dstdomain you need to match what shows up in access.log as the URI
of these requests.

Does the "google" ACL work in cache_peer_access to use the SNI?


> 
> sslproxy_cert_error allow tls_server_name_is_ip
> 
> sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
> 

The flag DONT_VERIFY_PEER tells Squid not to even bother checking any
security on the outgoing server connection when going DIRECT (not to the
cache_peer). Making the sslproxy_cert_error rules useless.


Amos



More information about the squid-users mailing list