[squid-users] Issue with SSL_BUMP and Office365 (for one...)

J. Dierkse j.dierkse at madeo.nl
Thu Jun 4 20:21:48 UTC 2020


Hi all,

I'm new to this mailing list, and I would start off with saying that I really love the Squid product.
I use it to intercept HTTP and HTTPS traffic in my network, and based on several ACLs forward it to different peer proxies.
This is where the DNS load balancing trickery becomes a hassle for HTTPS connections;

What I would like to do is if the request hostname matches an ACL (dstdomain or ssl::server_name), only do a splice for all ssl_bump steps. Otherwise do a peek for step1 and a splice afterwards.
My thinking is that this would be a nice workaround for the Office365 headache of TTLs of 5 seconds on the outlook.office365.com hostname.
However, this doesn't seem to work; I can't seem to trigger the "only splice" using any of the ACLs, and I keep getting the "Host header forgery" errors. (which on my Squid 4.11 version don't seem to be server, regardless of what I'm reading in various locations)
The only way I'm able to work around this for now is to create an ACL for all the possible IP's, and only splice for these (Blegh).

Is there any way to achieve what I would like to have? (without having to build a version of squid with the host forgery detection turned off...? :))

The relevant portion of my configuration is as follows.

-snip-

acl local dst 192.168.0.0/16


acl microsoft dstdomain .microsoft.com
acl microsoft dstdomain .teams.microsoft.com
acl microsoft dstdomain .office365.com
acl microsoft dstdomain .office.com
acl microsoft dstdomain .office.net
acl microsoft dstdomain .outlook.com

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump cert=/etc/certificates/SquidCA.pem key=/etc/certificates/SquidCA.pem

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 16MB
sslcrtd_children 8 startup=1 idle=1

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek   step1 !microsoft !local
ssl_bump splice step2 !microsoft !local
ssl_bump splice step3 !microsoft !local

-snip-

Thanks!


Best Regards,


J. Dierkse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200604/03d6432b/attachment.html>


More information about the squid-users mailing list