[squid-users] Squid Peek and splice

Reet Vyas reet.vyas28 at gmail.com
Tue May 17 09:47:34 UTC 2016


Hi

Below is my squid configuration

Squid : 3.5.13
OS ubuntu 14.04


http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
key=/etc/squid/ssl_certs/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 16 startup=1 idle=1
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
ssl_unclean_shutdown on

I want to block facebook.com so I have added url in .txt file.

Its not blocking anything.

Please let me know what I have to change in this configuration

I getting below logs in squid


1463478160.585    551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478160.585    550 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478161.147    562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478161.147    561 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.982    553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.982    552 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.994    565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.994    564 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443
- HIER_NONE/- -
1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT
geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 -


1463478194.373     61 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 -
1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443
- HIER_NONE/- -
1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT
translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 -
1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT
clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443
- HIER_NONE/- -
1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT
graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 -
1463478224.432     33 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 -
1463478231.727    555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478231.727    555 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478232.311    572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478232.311    571 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443
- HIER_NONE/- -
1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT
0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 -
1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT
clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443
- HIER_NONE/- -
1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT
geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 -
1463478327.555     41 192.168.0.66 TCP_MISS/200 2323 GET
http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data
- ORIGINAL_DST/216.58.220.3 text/html


On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
> > Hi Amos/Yuri,
> >
> > Currently my squid is configured with ssl bump, now I want to use peek
> and
> > splice. I read in some forum that we don't need to install certificate on
> > client's machine.
> >
>
> Splice does not require it. But what you want to do with Squid may
> prevent splice being used. So "it depends" ...
>
>
> > As I have already asked before in mailing list to install SSL certificate
> > on Android devices, which is not working.
> >
> > So my question is If I want to use peek and splice for example I want
> https
> > filtering for
>
>  ... on how you define "filter".
>
> > proxy websites
>
> Not sure what you mean by that term.
>
> > and I dont want ssl for bank websites and
> > facebook youtube and gmail. how will it work? Do i need to install SSL
> > certifcate on client or not, I am bit confused with peek and splice
> thing.
>
> When you intercept port 443 normally only the raw-IP is available from
> TCP. Peek allows Squid to get the server name the client was trying to
> connect to out of the TLS. So that Squid can handle the intercepted
> connection as if it had received a CONNECT message (which usually have
> server/domain names).
>
> Splicing can be thought of as handling a intercepted port 443 connection
> as if it were a CONNECT message, with no decryption. It is treated as a
> single "thing", with some limited control possibilities.
>
>
> So...
>
> In order to bump (decrypt) some traffic and splice (not decrypt) other
> traffic you need to have a way to decide which type is being dealt with.
> That is the peek or stare actions - to get data out of the TLS handshake
> for you to use in ACL decisions.
>
> You might now want to re-read the SslPeekAndSplice documentation again
> to see if you understand it better. I skipped a lot of important details
> to make the description clear.
>
>
> >
> > Please let me know is that possible to configure squid 3.5.19 in such a
> way
> > so that it will bump  only proxy websites not FB youtube etc.
> >
>
> Ah. So what are these "proxy websites" you speak of ?
>
> One thing you need to be clear about is that once the TCP packets enter
> Squid they *have* to be "proxied". There is no way to undo TCP accept()
> and read() operations. But there are many ways of handling them that
> Squid can do.
>
> PS. you could post your existing config so we can suggest alterations to
> it that will lead to it doing your new policy. That can be another way
> to learn how the relevant-to-you part of the features work without
> diving into the full complexity of what *might* be doable.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160517/5a7d6b0b/attachment-0001.html>


More information about the squid-users mailing list