[squid-users] Squid 3.5.19 how to find banking server name for no bump
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Jun 29 07:57:10 UTC 2016
Hey,
I have seen that you are using squid in intercept mode either on Linux or some BSD.
If there is a site\server that you don't want to enter squid at all you will need to bypass it in the FW\IPTABLES level.
In linux you would be able to use some ipset list that will be bypassed from being intercepted.
If you are interested reply and I will try to give you an example how to use it.
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Stanford Prescott
Sent: Wednesday, June 29, 2016 2:56 AM
To: Amos Jeffries
Cc: squid-users
Subject: Re: [squid-users] Squid 3.5.19 how to find banking server name for no bump
I forgot to mention, I am using squid 3.5.19
On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <stan.prescott at gmail.com <mailto:stan.prescott at gmail.com> > wrote:
When I enter .wellsfargo.com <http://wellsfargo.com> in
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>
acl tls_server_is_bank ssl::server_name .wellsfargo.com <http://wellsfargo.com>
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all
it appears that the banking site is still getting bumped i.e.like in this access.log snippet
1467156887.817 257 10.40.40.100 TAG_NONE/200 0 CONNECT 54.149.224.177:443 <http://54.149.224.177:443> - ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -
1467156888.008 94 10.40.40.100 TCP_MISS/200 213 POST https://tiles.services.mozilla.com/v2/links/view - ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json
1467156893.774 75 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156893.847 117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156893.875 120 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443> - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -
1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443> - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -
1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443> - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -
1467156893.875 112 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156894.109 306 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156894.109 308 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443> - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -
1467156895.488 72 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> -
1467156895.513 98 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> -
1467156895.648 66 10.40.40.100 TCP_MISS/302 739 GET https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0 <https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=> &guid=ON&script=0&data.prod=&data.subprod=&data.pageid= - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif
1467156895.664 82 10.40.40.100 TCP_MISS/200 649 GET https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808? - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif
1467156895.920 250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443 <http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> -
1467156896.061 79 10.40.40.100 TCP_MISS/200 503 GET https://www.google.com/ads/user-lists/974108101/?script=0 <https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630> &random=2433874630 - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif
1467156899.837 5727 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -
1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156> -
1467156899.837 5679 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -
1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156> -
1467156899.838 5680 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -
1467156899.838 5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156> -
1467156900.836 5421 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -
1467156900.836 5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 <http://www.wellsfargo.com:443> - ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -
1467156900.837 5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443 <http://159.45.2.142:443> - HIER_NONE/- -
1467156900.837 5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT static.wellsfargo.com:443 <http://static.wellsfargo.com:443> - ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -
1467156900.838 5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -
1467156900.838 5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 <http://www.wellsfargo.com:443> - ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -
If I disable sslbumping then the bank site does not get bumped, of course.
1467157349.321 230 10.40.40.100 TCP_MISS/301 243 GET http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 <http://159.45.66.143> -
Here is my squid.conf with bumping enabled.
visible_hostname smoothwall
# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9
# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.40.40.1
acl localnetgreen src 10.40.40.0/24 <http://10.40.40.0/24>
acl SWE_subnets src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# ----------------------------------------------------------------
http_access allow SWE_subnets
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access allow CONNECT localnetgreen
http_access allow localhostgreen
http_access allow CONNECT localhostgreen
# http_port and https_port
#----------------------------------------------------------------------------
# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127
http_port 10.40.40.1:800 <http://10.40.40.1:800> intercept
https_port 10.40.40.1:808 <http://10.40.40.1:808> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem
http_port 127.0.0.1:800 <http://127.0.0.1:800> intercept
sslproxy_session_cache_size 4 MB
ssl_bump none localhostgreen
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>
acl tls_server_is_bank ssl::server_name .wellsfargo.com <http://wellsfargo.com>
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5
http_access deny all
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid
cache_swap_high 100
cache_swap_low 80
cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
cache_dir aufs /var/spool/squid/cache 1024 16 256
maximum_object_size 33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 10 seconds
#icp_port 3130
half_closed_clients off
umask 022
logfile_rotate 0
strip_query_terms off
On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz> > wrote:
On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> I have the proper peek and splice and bump configuration of acls setup in
> my squid.conf file for no-bump of some web sites. I need help how to enter
> the banking hosts and or server names in a way that the peek and splice
> configuration will determine it is a banking site that I don't want bumped.
>
> For example, if a user enters www.wellsfargo.com <http://www.wellsfargo.com> for online banking my
> current config still bumps wellsfargo.com <http://wellsfargo.com> . What would I need to enter for
> wellsfargo.com <http://wellsfargo.com> so that banking server will not be bumped?
>
Depends on what you mean by "enter".
Are you asking for the ACL value?
.wellfargo.com <http://wellfargo.com>
Are you asking for the ACL definition?
acl banks ssl::server_name .wellsfargo.com <http://wellsfargo.com>
Or are you asking for a whole SSL-Bump configuration example?
<http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/95e1c75d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/95e1c75d/attachment-0001.png>
More information about the squid-users
mailing list