[squid-users] HTTPS Content Filtering without de-crypting traffic?

James Lay jlay at slave-tothe-box.net
Wed Jan 27 16:33:16 UTC 2016 

 

On 2016-01-26 15:59, Panda Admin wrote: 

> Hello, 
> 
> I attempting to terminate https traffic based on ACLs using ssl_bumping WITHOUT de-crypting the traffic in intercept/transparent mode.  Has anyone got this to work before? I have copied my configuration and what my iptables nat rules look like.  
> 
> I am using squid 3.5.13 with the following compile options: 
> 
> Squid Cache: Version 3.5.12 
> Service Name: squid 
> configure options:  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--datadir=/share/squid3' '--sysconfdir=/etc/squid3' '--with-default-user=proxy' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-openssl' '-enable-ssl-crtd' '--enable-icap-client' '--with-large-files' --enable-ltdl-convenience 
> 
> squid.conf: 
> 
> acl social dstdomain .google.com [1] .facebook.com [2] .reddit.com [3] 
> acl step1 at_step SslBump1 
> acl step2 at_step SslBump2 
> ssl_bump stare step2 all 
> ssl_bump terminate social 
> acl localnet src 192.168.50.0/24 [4] 
> acl SSL_ports port 443 
> acl Safe_ports port 80 # http 
> acl Safe_ports port 21 # ftp 
> acl Safe_ports port 443 # https 
> acl Safe_ports port 70 # gopher 
> acl Safe_ports port 210 # wais 
> acl Safe_ports port 1025-65535 # unregistered ports 
> acl Safe_ports port 280 # http-mgmt 
> acl Safe_ports port 488 # gss-http 
> acl Safe_ports port 591 # filemaker 
> acl Safe_ports port 777 # multiling http 
> acl CONNECT method CONNECT 
> http_access allow manager localhost 
> http_access deny manager 
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> http_access allow localnet 
> http_access allow localhost 
> http_access allow all 
> http_port 3128 transparent 
> https_port 3129 intercept ssl-bump cert=/etc/squid3/ssl_cert/squidSSL.pem 
> cache_dir ufs /cache/squid3/spool 100 16 256 
> access_log syslog:local5.info [5] squid 
> coredump_dir /var/spool/squid3 
> url_rewrite_program /usr/bin/squidGuard -c /cache/config/daemons/squidguard/squidGuard.conf 
> url_rewrite_children 15 
> url_rewrite_access allow all 
> refresh_pattern ^ftp: 1440 20% 10080 
> refresh_pattern ^gopher: 1440 0% 1440 
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
> refresh_pattern . 0 20% 4320 
> icap_enable on 
> icap_send_client_ip on 
> icap_send_client_username on 
> icap_client_username_encode off 
> icap_client_username_header X-Authenticated-User 
> icap_preview_enable on 
> icap_preview_size 1024 
> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav [6] 
> adaptation_access service_req allow all 
> icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav [6] 
> adaptation_access service_resp allow all 
> 
> iptables -L -v -t nat(only relevant rules): 
> 
> Chain PREROUTING (policy ACCEPT 1083 packets, 233K bytes) 
> pkts bytes target     prot opt in     out     source               destination              
> 157  9420 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:https to:192.168.11.1:3129 [7] 
> 
> Chain PREROUTING-daemon-tcp (1 references) 
> pkts bytes target     prot opt in     out     source               destination          
> 443 26580 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:http /* 7:PFD::CF-3128 */ to:192.168.11.1:3128 [8] 
> 0     0 DNAT       tcp  --  eth2   any     anywhere             anywhere             tcp dpt:http /* 8:PFD::CF-3128 */ to:172.17.0.1:3128 [9] 
> 
> Right now I can't get it to terminate ANY https traffic. All it does is allow it through.   
> Any and all help would be greatly appreciated! 
> 
> ~ Extremely Confused Squid User ~ 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Read: 

http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389


I'm doing exactly what you're wanting. 

James 
  

Links:
------
[1] http://google.com/
[2] http://facebook.com/
[3] http://reddit.com/
[4] http://192.168.50.0/24
[5] http://local5.info/
[6] http://127.0.0.1:1344/squidclamav
[7] http://192.168.11.1:3129/
[8] http://192.168.11.1:3128/
[9] http://172.17.0.1:3128/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160127/cd42ccc5/attachment.html>

More information about the squid-users mailing list