[squid-users] Squid generated certificate for IP rather than domain when using ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 17 17:13:16 UTC 2017


On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote:

> The goal is to splice only whitelist (github.com) and terminate all
> other domains.

FYI: I do not know what you mean by "terminate", but if you mean "close
the client-to-Squid connection _without_ serving a Squid-generated error
response to the user", then your ssl_bump configuration does not reflect
your intent. It is easier to terminate non-github connections than to
respond with blocking error messages to non-github requests.


> acl http_whitelist dstdomain .github.com
> acl whitelist ssl::server_name .github.com

> http_access allow http_whitelist localnet
> http_access deny all
> 
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all


Your Squid probably denies the fake CONNECT request during step1 (before
looking up SNI during step2). That fake CONNECT does not (and cannot)
have a host name (because you intercept) so it does not match your
"http_whitelist" ACL in the "http_access allow" rule quoted above,
following through to the "deny all" rule that always matches.

An access log may be used to confirm or descard the above theory. This
is why I have asked you about access log records in my previous email.

Alex.



More information about the squid-users mailing list