[squid-users] Squid 3.5.19 how to find banking server name for no bump
Stanford Prescott
stan.prescott at gmail.com
Tue Jun 28 23:47:47 UTC 2016
When I enter .wellsfargo.com in
*acl tls_s1_connect at_step SslBump1*
*acl tls_s2_client_hello at_step SslBump2*
*acl tls_s3_server_hello at_step SslBump3*
*acl tls_server_name_is_ip ssl::server_name_regex
^[0-9]+.[0-9]+.[0-9]+.[0-9]+n*
*acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
*acl tls_server_is_bank ssl::server_name .wellsfargo.com
<http://wellsfargo.com>*
*acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*
*ssl_bump peek tls_s1_connect all*
*ssl_bump splice tls_s2_client_hello tls_to_splice*
*ssl_bump stare tls_s2_client_hello all*
*ssl_bump bump tls_s3_server_hello all*
it appears that the banking site is still getting bumped i.e.like in this
access.log snippet
*1467156887.817 257 10.40.40.100 TAG_NONE/200 0 CONNECT
54.149.224.177:443 <http://54.149.224.177:443> -
ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -*
*1467156888.008 94 10.40.40.100 TCP_MISS/200 213 POST
https://tiles.services.mozilla.com/v2/links/view
<https://tiles.services.mozilla.com/v2/links/view> -
ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json*
*1467156893.774 75 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.847 117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875 120 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875 112 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109 306 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109 308 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156895.488 72 10.40.40.100 TAG_NONE/200 0 CONNECT
216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98
<http://216.58.194.98> -*
*1467156895.513 98 10.40.40.100 TAG_NONE/200 0 CONNECT
216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70
<http://216.58.194.70> -*
*1467156895.648 66 10.40.40.100 TCP_MISS/302 739 GET
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=
<https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=>
- ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif*
*1467156895.664 82 10.40.40.100 TCP_MISS/200 649 GET
https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808
<https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808>?
- ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif*
*1467156895.920 250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443
<http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60>
-*
*1467156896.061 79 10.40.40.100 TCP_MISS/200 503 GET
https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630
<https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630>
- ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif*
*1467156899.837 5727 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156899.837 5679 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156899.838 5680 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.838 5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156900.836 5421 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
*1467156900.836 5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
*1467156900.837 5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443
<http://159.45.2.142:443> - HIER_NONE/- -*
*1467156900.837 5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT
static.wellsfargo.com:443 <http://static.wellsfargo.com:443> -
ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -*
*1467156900.838 5423 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
*1467156900.838 5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
If I disable sslbumping then the bank site does not get bumped, of course.
1467157349.321 230 10.40.40.100 TCP_MISS/301 243 GET
http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -
Here is my squid.conf with bumping enabled.
visible_hostname smoothwall
# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9
# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.40.40.1
acl localnetgreen src 10.40.40.0/24
acl SWE_subnets src
"/var/smoothwall/mods/proxy/acls/src_subnets.acl"
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# ----------------------------------------------------------------
http_access allow SWE_subnets
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access allow CONNECT localnetgreen
http_access allow localhostgreen
http_access allow CONNECT localhostgreen
# http_port and https_port
#----------------------------------------------------------------------------
# For forward-proxy port. Squid uses this port to serve error pages, ftp
icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127
http_port 10.40.40.1:800 intercept
https_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression
dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem
http_port 127.0.0.1:800 intercept
sslproxy_session_cache_size 4 MB
ssl_bump none localhostgreen
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_server_is_bank ssl::server_name .wellsfargo.com
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5
http_access deny all
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# CACHE OPTIONS
#
----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid
cache_swap_high 100
cache_swap_low 80
cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
cache_dir aufs /var/spool/squid/cache 1024 16 256
maximum_object_size 33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
#
----------------------------------------------------------------------------
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 10 seconds
#icp_port 3130
half_closed_clients off
umask 022
logfile_rotate 0
strip_query_terms off
On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> > I have the proper peek and splice and bump configuration of acls setup in
> > my squid.conf file for no-bump of some web sites. I need help how to
> enter
> > the banking hosts and or server names in a way that the peek and splice
> > configuration will determine it is a banking site that I don't want
> bumped.
> >
> > For example, if a user enters www.wellsfargo.com for online banking my
> > current config still bumps wellsfargo.com. What would I need to enter
> for
> > wellsfargo.com so that banking server will not be bumped?
> >
>
> Depends on what you mean by "enter".
>
> Are you asking for the ACL value?
> .wellfargo.com
>
> Are you asking for the ACL definition?
> acl banks ssl::server_name .wellsfargo.com
>
> Or are you asking for a whole SSL-Bump configuration example?
> <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/bc409bc1/attachment-0001.html>
More information about the squid-users
mailing list