[squid-users] Squid TPROXY issues with Google sites

Alex Rousskov rousskov at measurement-factory.com
Fri May 26 16:44:35 UTC 2017


On 05/26/2017 09:44 AM, Vieri wrote:

> I know that in TLS traffic there are only IP addresses

This is a gross exaggeration. The reality is much more nuanced.


> I added mail.google.com to a custom file named "denied.domains" and loaded as denied_domains ACL in Squid. 

> [...]
> acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
> http_access deny denied_domains !allowed_groups !allowed_ips
> http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
> [...]
> reply_header_access Alternate-Protocol deny all
> acl AllowTroublesome ssl::server_name .google.com .gmail.com
> acl DenyTroublesome ssl::server_name mail.google.com
> http_access deny DenyTroublesome
> ssl_bump peek all
> ssl_bump splice AllowTroublesome
> ssl_bump bump all


> First of all, I was expecting that if a client tried to open
> https://mail.google.com, the connection would be blocked by Squid
> (DenyTroublesome ACL). It isn't. Why?

If a transaction is not blocked, then you have an http_access rule that
allows it. You need to figure out which rule does that. You can figure
that out by studying debugging logs, adding/logging annotate_transaction
ACLs, and/or altering http_access rules.


> Second, I am unable to scan content since Squid is splicing all
> Google traffic.

You told Squid to bump nothing because nothing can be bumped after
"ssl_bump peek all". You may want to study the following wiki page,
including definitions of actions such as "peek" and examples.

    http://wiki.squid-cache.org/Features/SslPeekAndSplice

Alex.



More information about the squid-users mailing list