[squid-users] Working peek/splice no longer functioning on some sites
James Lay
jlay at slave-tothe-box.net
Sat Nov 25 12:45:59 UTC 2017
On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:
> On 26/11/17 00:52, James Lay wrote:
> >
> > On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
> > >
> > > On 25/11/17 08:30, James Lay wrote:
> > > >
> > > > Topic says it...this setup has been working well for a long
> > > > time, but
> > > > now there are some sites that are failing the TLS handshake.
> > > > Here's
> > > > my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port
> > > > 443 acl
> > > > Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method
> > > > CONNECT
> > > > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
> > > > http_access deny !Safe_ports http_access deny CONNECT
> > > > !SSL_Ports
> > > > http_access allow SSL_ports http_access allow
> > > > allowed_http_sites
> > > > http_access deny all ssl_bump peek all acl allowed_https_sites
> > > > ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump
> > > > splice
> > > > allowed_https_sites ssl_bump terminate all
> > >
> > >
> > > Because you have "peek all" being performed the transaction MUST
> > > pass
> > > your regex patterns with both TLS SNI from the client *and* the
> > > server
> > > certificate SubjectName values. Either one not matching will
> > > perform
> > > that "terminate all" on the TLS handshake.
> > >
> > Thanks Amos...do you have a suggestion for changing this to match
> > one or
> > the other instead of both?
> Doing the splice check before the peek should do that. First one of
> the
> server_names data sources to match will then splice and non-matches
> fall
> through to either peek or terminate if no more peeking possible.
>
> Amos
Perfect..I've modded my lines with:
acl broken_https_sites ssl::server_name_regex
"/opt/etc/squid/broken_url.txt"
ssl_bump splice broken_https_sites
ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
Hopefully that fixes these up. Another site besides the the one this
thread is fbcdn.net. Again, these DID work, but something within the
last month has changed...guessing Facebook and Elder Scrolls Online
have added additional TLS security. Thanks as always Amos.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171125/a9650c38/attachment.html>
More information about the squid-users
mailing list