[squid-users] intercepting tcp/443 purely for logging purposes
Amos Jeffries
squid3 at treenet.co.nz
Mon Mar 21 07:53:05 UTC 2016
On 21/03/2016 10:29 a.m., Jason Haar wrote:
> Hi there
>
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
>
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
>
It is supporteed.
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
>
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses
This is because the ssl_bump rules are saying to splice immediately when
only the pseudo-CONNECT with an IP address is known.
If you use this:
ssl_bump peek all
ssl_bump splice all
it will peek at the client SNI and server public cert details before
dropping back to a transparent pass-tru. Then it will have that domain
and any other non-encrypted details available for logging.
Amos
More information about the squid-users
mailing list