[squid-users] ssl-bump does not redirect to block page
leomessi983 at yahoo.com
leomessi983 at yahoo.com
Wed Feb 13 12:10:33 UTC 2019
I use this configuration to solve my problem.Whit this configuration at first step I use bump action for sites that i want to block and show ACCESS_DENIED page then splice all other requests!!My problem in this config is when my clients want to see block pages they first see SSL warning in their browser then after click on exception they will see ACCESS_DENIED page!!
..........acl blk ssl::server_name "/var/blkfiles/url.txt"
http_access deny blkacl step1 at_step SslBump1ssl_bump peek step1ssl_bump bump blkssl_bump splice all
On Wednesday, February 13, 2019, 9:55:06 AM GMT+3:30, squid-users-request at lists.squid-cache.org <squid-users-request at lists.squid-cache.org> wrote:
Send squid-users mailing list submissions to
squid-users at lists.squid-cache.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request at lists.squid-cache.org
You can reach the person managing the list at
squid-users-owner at lists.squid-cache.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. ssl-bump does not redirect to block page (leomessi983 at yahoo.com)
2. Re: ssl-bump does not redirect to block page (Alex Rousskov)
3. Pass ip to server (erdosain9)
4. Re: Pass ip to server (Joey Officer)
5. Re: Filering HTTPS URLs - A complete configuration (Alex Rousskov)
6. Re: ssl-bump does not redirect to block page
(leomessi983 at yahoo.com)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Feb 2019 14:21:34 +0000 (UTC)
From: "leomessi983 at yahoo.com" <leomessi983 at yahoo.com>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] ssl-bump does not redirect to block page
Message-ID: <1479917107.2282419.1549981294109 at mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"
Hi againDo i have to use CA and Certificate configuration if i want to block only HTTPS requests with splice action?!
https_port 3130 tproxy ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 12 Feb 2019 08:04:08 -0700
From: Alex Rousskov <rousskov at measurement-factory.com>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] ssl-bump does not redirect to block page
Message-ID:
<024a80a6-6b15-e9d8-06f9-b9645fbb3058 at measurement-factory.com>
Content-Type: text/plain; charset=utf-8
On 2/12/19 7:21 AM, leomessi983 at yahoo.com wrote:
> Do i have to use CA and Certificate configuration if i want to block
> only HTTPS requests with splice action?!
IIRC, you currently need a CA certificate if you want to use SslBump,
regardless of the SslBump actions in use. In some ways, this is a
limitation of the current SslBump implementation rather than a natural
requirement, but the CA certificate is needed when Squid reports an
error to the client because Squid has to bump the client connection to
report errors.
If you do not care what happens when handling errors, then you probably
do not need to configure dynamic certificate generation. I have not
tested that, but I assume that, when reporting errors in that case,
Squid will silently revert to using the old code that generates
self-signed certificates (and the client will not trust them).
Please note that it is not clear what you mean by "to block with splice
action" -- splice does not block anything. If you are blocking requests
using http_access rules, then Squid is probably using an (implicit) bump
action to report blocking to the client, as discussed above. Blocking is
an example of errors that may happen even when you do not explicitly
bump any requests.
Alex.
> https_port 3130 tproxy ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
------------------------------
Message: 3
Date: Tue, 12 Feb 2019 09:14:45 -0600 (CST)
From: erdosain9 <erdosain9 at gmail.com>
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Pass ip to server
Message-ID: <1549984485300-0.post at n4.nabble.com>
Content-Type: text/plain; charset=us-ascii
Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the
proxy server send the "real ip".
Because i want to see in the logs of sales.mydomain.com the real ip of the
machine that are going (and not the proxy ip).
I know that i can see this in the log of squid... but, i want to know if it
is possible see this in the other server.
Thanks to all.
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Message: 4
Date: Tue, 12 Feb 2019 16:49:58 +0000
From: Joey Officer <JOfficer at istreamfs.com>
To: erdosain9 <erdosain9 at gmail.com>,
"squid-users at lists.squid-cache.org"
<squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Pass ip to server
Message-ID:
<DM5PR19MB1579C05FD36C83FF2D018DF8CD650 at DM5PR19MB1579.namprd19.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I believe the option you are referring to is the 'forwarded_for' http header.
Reference this: http://www.squid-cache.org/Doc/config/forwarded_for/
Hope that helps you.
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of erdosain9
Sent: Tuesday, February 12, 2019 9:15 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Pass ip to server
Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the proxy server send the "real ip".
Because i want to see in the logs of sales.mydomain.com the real ip of the machine that are going (and not the proxy ip).
I know that i can see this in the log of squid... but, i want to know if it is possible see this in the other server.
Thanks to all.
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
Message: 5
Date: Tue, 12 Feb 2019 14:48:51 -0700
From: Alex Rousskov <rousskov at measurement-factory.com>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Filering HTTPS URLs - A complete
configuration
Message-ID:
<ed3096f0-fff0-2f8b-ddc5-e89cdbf92749 at measurement-factory.com>
Content-Type: text/plain; charset=utf-8
On 2/11/19 3:55 AM, Paul Doignon wrote:
>> The closest you are going to get to the above is with:
>> * bump everything[1], and
>> * use http_access to check the https:// URLs for your policy
>> * use "deny_info TCP_RESET" [2] on the blocked requests.
>>
>> [1] some things literally cannot be bumped. So a decision needs to be
>> made about what to do then.
> I guess adding this second line will terminate those un-bumpable requests?
No, that second ssl_bump line has no effect -- it will never be reached.
You are probably misinterpreting what was meant by "literally cannot be
bumped". What was meant by that phrase was that bumping certain
connections always results in client and/or server errors, regardless of
how you configure Squid. In those cases, Squid will still perform the
bump action if you tell it to bump, but that action will not lead to a
functioning tunnel through Squid.
In general, Squid itself cannot predict which connections can be
successfully bumped. You have to tell it (using ACLs, like the
whitelisted ACL in the example below).
> ssl_bump bump all
> ssl_bump terminate all
The first line emulates client-first bumping. That is not what you want.
To bump all connections, you could use something like this:
ssl_bump stare all
ssl_bump bump all
To bump all connections except whitelisted ones, you probably want
something like this:
ssl_bump splice whitelisted
ssl_bump stare all
ssl_bump bump all
... where whitelisted is your ACL implementing your white listing policy
(i.e. matching TLS connections that should be spliced). It may use
ssl::server_name and probably other ACLs.
More details at https://wiki.squid-cache.org/Features/SslPeekAndSplice
Alex.
------------------------------
Message: 6
Date: Wed, 13 Feb 2019 06:22:43 +0000 (UTC)
From: "leomessi983 at yahoo.com" <leomessi983 at yahoo.com>
To: <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] ssl-bump does not redirect to block page
Message-ID: <974828205.84661.1550038963335 at mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"
>> aka the 'bump' action.
> This part is misleading: Modern Squids _automatically_ bump connections
> to report [access denied] errors -- no explicit bump action is required
> (or even desirable). I do not know whether> * that bumping does not happen for leo (e.g., due to Squid bugs), or
> * it does happen, but the browser refuses to show the error page anyway
> .(because of certificate pinning and/or because Squid did not have enough
> information to properly bump the client connection using just step1
> knowledge).
> A packet capture or an ALL,2 cache.log may distinguish those two cases.
> Alex.
Hi Alex
Actually i don't understand if it could be done or not!!
Amos said it is impossible you said no!!
can you show me the correct configuration for blocking HTTPS requests with showing access denied page to clients?!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/d8a98891/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 54, Issue 24
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/625df369/attachment-0001.html>
More information about the squid-users
mailing list