[squid-users] intercepting tcp/443 purely for logging purposes

Jason Haar jason_haar at trimble.com
Mon Mar 21 09:32:45 UTC 2016


Yeah I know that, but there are issues with invoking peek: like the host
forgery checks suddenly kick in, and squid starts seeing SSL errors
(probably due to CentOS6 not supporting the newest standards that Chrome
uses) and then squid starts blocking things. That's why I'm sticking to
this simplest case for the moment and avoid the "peek" call


Thanks!

Jason

On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 21/03/2016 10:29 a.m., Jason Haar wrote:
> > Hi there
> >
> > I'm wanting to use tls intercept to just log (well OK, and potentially
> > block) HTTPS sites based on hostnames (from SNI), but have had problems
> > even in peek-and-splice mode. So I'm willing to compromise and instead
> just
> > intercept that traffic, log it, block on IP addresses if need be, and
> don't
> > use ssl-bump beyond that.
> >
> > So far the following seems to work perfectly, can someone confirm this is
> > "supported" - ie that I'm not relying on some bug that might get fixed
> > later? ;-)
> >
>
> It is supporteed.
>
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
> 256MB
> > sslcrtd_children 32 startup=15 idle=5
> > acl SSL_https port 443
> > ssl_bump splice SSL_https
> > acl BlacklistedHTTPSsites dstdomain
> > "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> > http_access deny BlacklistedHTTPSsites
> >
> > The "bug" comment comes down to how acl seems to work. I half-expected
> the
> > above not to work - but it does. It would appear squid will treat an
> > intercept's dst IP as the "dns name" as that's all it's got - so
> > "dstdomain" works fine for both CONNECT and intercept IFF the acl
> contains
> > IP addresses
>
> This is because the ssl_bump rules are saying to splice immediately when
> only the pseudo-CONNECT with an IP address is known.
>
> If you use this:
>  ssl_bump peek all
>  ssl_bump splice all
>
> it will peek at the client SNI and server public cert details before
> dropping back to a transparent pass-tru. Then it will have that domain
> and any other non-encrypted details available for logging.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160321/ab9be4b0/attachment-0001.html>


More information about the squid-users mailing list