[squid-users] Issue with SSL_BUMP and Office365 (for one...)

Alex Rousskov rousskov at measurement-factory.com
Thu Jun 4 22:11:34 UTC 2020 

On 6/4/20 4:21 PM, J. Dierkse wrote:

> I use it to intercept HTTP and HTTPS traffic in my network, and based on
> several ACLs forward it to different peer proxies.
> This is where the DNS load balancing trickery becomes a hassle for HTTPS
> connections;

> What I would like to do is if the request hostname matches an ACL
> (dstdomain or ssl::server_name), only do a splice for all ssl_bump
> steps. 

That goal needs polishing or rephrasing -- one cannot splice more than
once -- but I think I know what you mean.


> Otherwise do a peek for step1 and a splice afterwards.


Here is a sketch for v5. Sorry, I do not remember if v4 is equally
capable (but it very well may be):

    # splice as soon as we detect specialHost
    ssl_bump splice specialHost
    # peek to get more info if needed
    ssl_bump peek all
    # optional: splice if we never detect specialHost
    ssl_bump splice all

... where specialHost is an ssl::server_name ACL.


> without having to build a version of squid with the host forgery detection turned
> off...? :))

Those errors are a separate issue. Even the best possible ssl_bump
configuration can trigger them. They have been discussed many times on
this list before but if you have some new questions about them, please ask.


HTH,

Alex.




> 
> The relevant portion of my configuration is as follows.
> 
> -snip-
> 
> acl local dst 192.168.0.0/16
> 
> acl microsoft dstdomain .microsoft.com
> acl microsoft dstdomain .teams.microsoft.com
> acl microsoft dstdomain .office365.com
> acl microsoft dstdomain .office.com
> acl microsoft dstdomain .office.net
> acl microsoft dstdomain .outlook.com
> 
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump cert=/etc/certificates/SquidCA.pem
> key=/etc/certificates/SquidCA.pem
> 
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 16MB
> sslcrtd_children 8 startup=1 idle=1
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> ssl_bump peek   step1 !microsoft !local
> ssl_bump splice step2 !microsoft !local
> ssl_bump splice step3 !microsoft !local
> 
> -snip-
> 
> Thanks!
> 
> 
> Best Regards,
> 
> 
> J. Dierkse
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list