[squid-users] Sslbump Not working for transparent proxy

Amos Jeffries squid3 at treenet.co.nz
Sat Mar 2 03:16:38 UTC 2019


On 2/03/19 8:54 am, Joseph Jones wrote:
> I've been trying to get SslBump work for whitelist purposes and so far
> have been failing.
> 
> It's my understanding in order for SslBump to do whitelist it will
> need to do a splice at step2 or step3.

Not quite. For intercepted traffic you do need a peek at step1 to get
the TLS SNI details. Before that Squid only has raw-IP.


But your problem is earlier than even step1. Before bumping starts Squid
synthesizes a CONNECT message to check if the client is allowed to even
make requests of the proxy. This uses the TCP SYN packet src-IP as
message URI.


Your http_access permissions being *only* these:

 http_access allow localnet http_whitelist
 http_access deny all


... the raw-IP URI will not match true for the whitelist check. Leaving
the deny to reject the client.


Then we get to the SSL-Bump. Since the decision has already been made to
reject this client all Squid does is the peek and client-first bump
actions. These happen in order to deliver that denial page in a form
that Browsers will most likely display (no guarantee though).


What you need to avoid this too-early denial is allow CONNECT which
happen on the interception port. Add these lines above yoru deny all:

  acl port3129 myportname 3129
  http_access allow CONNECT port3129



PS. I also advise to leave the Safe_ports and SSL_Ports checks from the
default config as they were. They have no effect on any of the SSL-Bump
activity and protect your proxy against several types of DoS and other
nasty attacks.


Amos


More information about the squid-users mailing list