[squid-users] Squid Peek/Splice some issues
Eliezer Croitoru
eliezer at ngtech.co.il
Tue Jun 21 07:02:22 UTC 2016
Hey Ahmad,
Since these apps are having issues it means that squid or them are broken or … both.
The basic issue is that from one side you want to Intercept while you don't want to break the passing traffic.
Squid task is to work with every piece of the OS and the traffic including parsing and "understanding" the passing traffic.
The issue is that currently(3.5) squid doesn't have any way to not break HTTPS once it was intercepted and was unwrapped.
The more deep issue is that many applications are using HTTP+HTTPS in a way that needs couple twists and causes security complications.
It would be kind of "simple" to resolve the issue by bypassing squid SSL unwrapping.
If you don't care about security and you care more about caching what is possible and not caching "everything" this is the right solution.
It is possible to use a technique which will collect information about the destination HOST to be a valid HTTPS service before splicing but..
It has it's own overheads but if you care less about caching and more about the service then it's the right solution.
Just to illustrate, an ACL and filtering proxy will be pretty "simple" compared to a one with caching overheads since all the resources would be dedicated to the actual decision part of the service rather then the disks IO and cached objects DB lookups.
>From what I remember squid 4 is supposed to have a basic option that will differentiate between STANDARD https to other protocols.
I have not tested it yet but I am in still processing 4 ideas in general.
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of --Ahmad--
Sent: Tuesday, June 21, 2016 12:43 AM
To: Squid Users
Subject: [squid-users] Squid Peek/Splice some issues
Hi ,
i have squid that is working on 3.5 .
traffic of t 80 and 443 traffic to Squid via IPTables.
Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.
we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept.
current versions we have :
* Squid 3.5.19
* C-ICAP 0.4.2
* SquidclamAV 6.15
* ClamAV 0.99.2
=====================
here is squid.conf :
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow localhost manager
http_access deny manager
# Squid normally listens to port 3128
http_port 3127
http_port 3128 intercept
coredump_dir /var/cache/squid
visible_hostname test1
cache_log /opt/var/log/squid/cache_log
cache_access_log /opt/var/log/squid/access_log
cache_effective_user squid
cache_effective_group squid
icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
acl test-header dstdomain test.com <http://test.com>
request_header_add X-TEST-GUID TEST test-header
#Custom Error Pages
error_directory /opt/www/squid
# Squid listen Port
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
cache_dir aufs /var/cache/squid 40000 16 256
store_dir_select_algorithm round-robin
minimum_object_size 0 KB
maximum_object_size 96 MB
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
cache_mem 1500 MB
buffered_logs on
half_closed_clients off
dns_nameservers 10.192.0.1
=======================================================
i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .
thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/523d9ea8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11307 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/523d9ea8/attachment-0001.png>
More information about the squid-users
mailing list