[squid-users] How squid sends sni to icap server?
lucas.alvaro at laposte.net
lucas.alvaro at laposte.net
Sun Aug 6 20:11:13 UTC 2017
>> Hi everyone,
>> I have a transparent proxy squid 3.5.26 with C-ICAP and here are the
>> important lines:
>> "
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_preview_enable on
>> icap_preview_size 1024
>> icap_service service_avi_req reqmod_precache icap://localhost:1344/echo
>> bypass=off
>> adaptation_access service_avi_req allow all
>> icap_service service_avi_resp respmod_precache
>> icap://localhost:1344/echo bypass=off
>> adaptation_access service_avi_resp allow all
>>
>> #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
>>
>>
>> http_port 3128
>> http_port 3129 intercept
>> https_port 3130 intercept ssl-bump \
>> cert=/etc/squid/ssl_cert/myCA.pem \
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>
>> #acl step1 at_step SslBump1
>> #acl step2 at_step SslBump2
>> #acl step3 at_step SslBump3
>>
>> ssl_bump peek all
>> ssl_bump bump all
>
>NP: Peeking at step 2 precludes bumping.
>
>> logformat squid %ssl::>sni
>
>Please do not redefine the built-in format name "squid". Use a custom
>name for custom formats.
>
Ok it will be done
>
>> adaptation_meta X-SNI "%ssl::>sni" all #or connect
>> #request_header_add X-SNI "%ssl::>sni" all
>> "
>>
>>
>> So i want to create an icap service like squidclamav but it must check
>> SNI not URLs.
>
>Any particular reason why?
> SNI has almost nothing to do with the HTTP messages (plural). It is
> simply the name of the next-hop server (or proxy) they should be
> delivered to on their way around the web.
>
>I thought squidclamav was an antivirus, not a URL blocklist checker.
>
You're right: squidclamav is an antivirus but there are much more services, actually he can check url and match them to blacklist or whitelist.
I don't want to decrypt https trafic but i want to know where the client is trying to connect. I thought SNI was the only way to know the server name and the domain without decrypting anything.
Final goal is to blacklist for exemple google and when sni indicates www.google.com, c-icap denies the access.
>
>> I peek all the steps to get sni and in the squid access log, sni is
>> printed .
>>
>> I read that adaptation_meta can send anything from squid to icap but
>> clearly i use it incorretly: i can't see sni on icap access log or in
>> icap headers.
>
> Your usage appears to be correct. I think there is no SNI being received
> by Squid.
That's problematic because in my squid access log there are "www.youtube.com" "www.google.com", that's exactly what i'm tryng to pass to c-icap. Seems like squid receives the sni.
>> Does adaptation_meta create a icap headers ?
>
>It does.
>
>> Or should i use
>> add_request_headers?
>
>No, that would add HTTP headers to the outgoing messages (to server or
>to client).
>>
>> I know that squid can create a 2nd fake connect with sni but here again
>> icap just print the same connect 2 times
>>
>
>That is correct, however SNI is not always sent by clients. Squid can
>only use what it is given.
>
>If there is an SNI in that particular clientHello you have hit a bug in
>Squid.
>
>Amos
Thanks Amos for the reply.
>________ ______________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170806/e1479fcd/attachment.html>
More information about the squid-users
mailing list