[squid-users] intercepting tcp/443 purely for logging purposes
Jason Haar
jason_haar at trimble.com
Sun Mar 20 21:29:18 UTC 2016
Hi there
I'm wanting to use tls intercept to just log (well OK, and potentially
block) HTTPS sites based on hostnames (from SNI), but have had problems
even in peek-and-splice mode. So I'm willing to compromise and instead just
intercept that traffic, log it, block on IP addresses if need be, and don't
use ssl-bump beyond that.
So far the following seems to work perfectly, can someone confirm this is
"supported" - ie that I'm not relying on some bug that might get fixed
later? ;-)
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https
acl BlacklistedHTTPSsites dstdomain
"/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites
The "bug" comment comes down to how acl seems to work. I half-expected the
above not to work - but it does. It would appear squid will treat an
intercept's dst IP as the "dns name" as that's all it's got - so
"dstdomain" works fine for both CONNECT and intercept IFF the acl contains
IP addresses
I was hoping I wouldn't need ssl-bump at all, but you need squid to be
running a https_port, and for it to support "intercept", and to do that
squid insists on "ssl-bump" too - although that seems likely was a
programmer assumption that didn't include people like me doing mad things
like this? :-). I'd also guess I don't need 32 children/etc - 1 would
suffice as it's never used?
So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
supported via the proxy, with all TLS security decisions residing on the
client. I get my logs, and if I want to block some known bad IP address, I
can: CONNECT causes a 403 HTTP error page and intercept basically ditches
the tcp/443 connection - which is as good as it gets without getting into
the wonderful world of real "bump"
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160321/5cb18d49/attachment.html>
More information about the squid-users
mailing list