[squid-users] Working peek/splice no longer functioning on some sites

Alex K rightkicktech at gmail.com
Sun Nov 26 07:50:23 UTC 2017


Perhaps an alternative is to peek only on step1:

acl step1 at_step SslBump1

ssl_bump peek step1
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

On Nov 25, 2017 14:46, "James Lay" <jlay at slave-tothe-box.net> wrote:

> On Sun, 2017-11-26 at 01:33 +1300, Amos Jeffries wrote:
>
> On 26/11/17 00:52, James Lay wrote:
>
>
> On Sat, 2017-11-25 at 23:48 +1300, Amos Jeffries wrote:
>
>
> On 25/11/17 08:30, James Lay wrote:
>
>
> Topic says it...this setup has been working well for a long time, but
> now there are some sites that are failing the TLS handshake.  Here's
> my setup: acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl
> Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT
> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
> http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports
> http_access allow SSL_ports http_access allow allowed_http_sites
> http_access deny all ssl_bump peek all acl allowed_https_sites
> ssl::server_name_regex "/opt/etc/squid/http_url.txt" ssl_bump splice
> allowed_https_sites ssl_bump terminate all
>
>
>
>
>
> Because you have "peek all" being performed the transaction MUST pass
> your regex patterns with both TLS SNI from the client *and* the server
> certificate SubjectName values. Either one not matching will perform
> that "terminate all" on the TLS handshake.
>
>
>
>
> Thanks Amos...do you have a suggestion for changing this to match one or
> the other instead of both?
>
>
>
> Doing the splice check before the peek should do that. First one of the
> server_names data sources to match will then splice and non-matches fall
> through to either peek or terminate if no more peeking possible.
>
> Amos
>
>
> Perfect..I've modded my lines with:
>
> acl broken_https_sites ssl::server_name_regex "/opt/etc/squid/broken_url.
> txt"
> ssl_bump splice broken_https_sites
> ssl_bump peek all
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump splice allowed_https_sites
> ssl_bump terminate all
>
> Hopefully that fixes these up.  Another site besides the the one this
> thread is fbcdn.net.  Again, these DID work, but something within the
> last month has changed...guessing Facebook and Elder Scrolls Online have
> added additional TLS security.  Thanks as always Amos.
>
> James
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171126/5b3e42a1/attachment.html>


More information about the squid-users mailing list