[squid-users] Squid Peek and splice

Reet Vyas reet.vyas28 at gmail.com
Tue May 17 10:48:00 UTC 2016 

Here is my txt file, as of now its working but I am getting secure
connection failed, I want to know if we can customize error message like
Access Denied .

In logs I am not getting  full URL PFA logs for same. What I have to change
 in peek and splice  ssl bump to get full URL ?

Logs:

3481340.025      0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 -
HIER_NONE/- -
1463481340.037      0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443
- HIER_NONE/- -
1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT
74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 -
1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 -
1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 -
1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT
74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 -
1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 -
1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 -
1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT
74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 -
1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT
162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 -
1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 -
1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT
74.125.130.94:443 - ORIGINAL_DST/74.125.130.94 -
1463481614.460 444470 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT
74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 -
1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.16





On Tue, May 17, 2016 at 3:33 PM, Reet Vyas <reet.vyas28 at gmail.com> wrote:

> Here is my txt file, as of now its working but I am getting secure
> connection failed, I want to know if we can customize error message like
> Access Denied .
>
> In logs I am not getting  full URL PFA logs for same. What I have to
> change  in peek and splice  ssl bump to get full URL ?
>
> On Tue, May 17, 2016 at 3:21 PM, admin <admin at tisiz72.ru> wrote:
>
>>
>>
>> get your blocked_https.txt
>>
>>
>>
>>
>> Reet Vyas писал 2016-05-17 14:47:
>>
>> Hi
>>
>> Below is my squid configuration
>>
>> Squid : 3.5.13
>> OS ubuntu 14.04
>>
>>
>> http_port 3128
>> http_port 3127 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
>> key=/etc/squid/ssl_certs/squid.key
>> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>>
>> always_direct allow all
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
>> acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump terminate blocked
>> ssl_bump splice all
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
>> sslcrtd_children 16 startup=1 idle=1
>> sslproxy_capath /etc/ssl/certs
>> sslproxy_cert_error allow all
>> ssl_unclean_shutdown on
>>
>> I want to block facebook.com so I have added url in .txt file.
>>
>> Its not blocking anything.
>>
>> Please let me know what I have to change in this configuration
>>
>> I getting below logs in squid
>>
>>
>> 1463478160.585    551 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478160.585    550 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478161.147    562 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478161.147    561 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478163.982    553 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478163.982    552 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478163.994    565 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478163.994    564 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 106.10.137.175:443 - HIER_NONE/- -
>> 1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT
>> geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 -
>>
>>
>> 1463478194.373     61 192.168.0.66 TCP_MISS/204 233 GET
>> http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 -
>> 1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 74.125.200.239:443 - HIER_NONE/- -
>> 1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT
>> translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 -
>> 1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 216.58.199.142:443 - HIER_NONE/- -
>> 1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT
>> clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 -
>> 1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 31.13.79.246:443 - HIER_NONE/- -
>> 1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT
>> graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 -
>> 1463478224.432     33 192.168.0.66 TCP_MISS/204 233 GET
>> http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 -
>> 1463478231.727    555 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478231.727    555 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478232.311    572 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 107.170.47.181:443 - HIER_NONE/- -
>> 1463478232.311    571 192.168.0.66 TAG_NONE/503 0 CONNECT
>> freevideodownloader.co:443 - HIER_NONE/- -
>> 1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 74.125.200.189:443 - HIER_NONE/- -
>> 1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT
>> 0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 -
>> 1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 216.58.199.142:443 - HIER_NONE/- -
>> 1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT
>> clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 -
>> 1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT
>> 106.10.199.11:443 - HIER_NONE/- -
>> 1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT
>> geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 -
>> 1463478327.555     41 192.168.0.66 TCP_MISS/200 2323 GET
>> http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data
>> - ORIGINAL_DST/216.58.220.3 text/html
>>
>>
>> On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squid3 at treenet.co.nz>
>> wrote:
>>
>>> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
>>> > Hi Amos/Yuri,
>>> >
>>> > Currently my squid is configured with ssl bump, now I want to use peek
>>> and
>>> > splice. I read in some forum that we don't need to install certificate
>>> on
>>> > client's machine.
>>> >
>>>
>>> Splice does not require it. But what you want to do with Squid may
>>> prevent splice being used. So "it depends" ...
>>>
>>>
>>> > As I have already asked before in mailing list to install SSL
>>> certificate
>>> > on Android devices, which is not working.
>>> >
>>> > So my question is If I want to use peek and splice for example I want
>>> https
>>> > filtering for
>>>
>>>  ... on how you define "filter".
>>>
>>> > proxy websites
>>>
>>> Not sure what you mean by that term.
>>>
>>> > and I dont want ssl for bank websites and
>>> > facebook youtube and gmail. how will it work? Do i need to install SSL
>>> > certifcate on client or not, I am bit confused with peek and splice
>>> thing.
>>>
>>> When you intercept port 443 normally only the raw-IP is available from
>>> TCP. Peek allows Squid to get the server name the client was trying to
>>> connect to out of the TLS. So that Squid can handle the intercepted
>>> connection as if it had received a CONNECT message (which usually have
>>> server/domain names).
>>>
>>> Splicing can be thought of as handling a intercepted port 443 connection
>>> as if it were a CONNECT message, with no decryption. It is treated as a
>>> single "thing", with some limited control possibilities.
>>>
>>>
>>> So...
>>>
>>> In order to bump (decrypt) some traffic and splice (not decrypt) other
>>> traffic you need to have a way to decide which type is being dealt with.
>>> That is the peek or stare actions - to get data out of the TLS handshake
>>> for you to use in ACL decisions.
>>>
>>> You might now want to re-read the SslPeekAndSplice documentation again
>>> to see if you understand it better. I skipped a lot of important details
>>> to make the description clear.
>>>
>>>
>>> >
>>> > Please let me know is that possible to configure squid 3.5.19 in such
>>> a way
>>> > so that it will bump  only proxy websites not FB youtube etc.
>>> >
>>>
>>> Ah. So what are these "proxy websites" you speak of ?
>>>
>>> One thing you need to be clear about is that once the TCP packets enter
>>> Squid they *have* to be "proxied". There is no way to undo TCP accept()
>>> and read() operations. But there are many ways of handling them that
>>> Squid can do.
>>>
>>> PS. you could post your existing config so we can suggest alterations to
>>> it that will lead to it doing your new policy. That can be another way
>>> to learn how the relevant-to-you part of the features work without
>>> diving into the full complexity of what *might* be doable.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160517/5f51713d/attachment-0001.html>

More information about the squid-users mailing list