[squid-users] Issue with SSL_BUMP and Office365 (for one...)
J. Dierkse
j.dierkse at madeo.nl
Fri Jun 5 06:55:07 UTC 2020
On 05-Jun-20 00:11:44, Alex Rousskov <rousskov at measurement-factory.com> wrote:
On 6/4/20 4:21 PM, J. Dierkse wrote:
> I use it to intercept HTTP and HTTPS traffic in my network, and based on
> several ACLs forward it to different peer proxies.
> This is where the DNS load balancing trickery becomes a hassle for HTTPS
> connections;
> What I would like to do is if the request hostname matches an ACL
> (dstdomain or ssl::server_name), only do a splice for all ssl_bump
> steps.
That goal needs polishing or rephrasing -- one cannot splice more than
once -- but I think I know what you mean.
Correct, of course splice is the end of the chain, my bad.
The main thing I want to achieve is to setup the connection through different types of privacy proxies, depending on the target domain.
For this I don't really need bumping, if I understand the protocol correctly, I just need to peek to check what the target domain is.
Unfortunately, peeking has the side effect of detecting false-positive host forgery errors, due to Microsoft's DNS load balancing strategy.
> Otherwise do a peek for step1 and a splice afterwards.
Here is a sketch for v5. Sorry, I do not remember if v4 is equally
capable (but it very well may be):
# splice as soon as we detect specialHost
ssl_bump splice specialHost
# peek to get more info if needed
ssl_bump peek all
# optional: splice if we never detect specialHost
ssl_bump splice all
... where specialHost is an ssl::server_name ACL.
I tried this configuration, but it doesn't give the desired effect.
In 4.11 it doesn't seem to splice at all, but bump for some reason (is it correct not to refer to any bump steps?)
> without having to build a version of squid with the host forgery detection turned
> off...? :))
Those errors are a separate issue. Even the best possible ssl_bump
configuration can trigger them. They have been discussed many times on
this list before but if you have some new questions about them, please ask.
I know these errors have been a hot topic, and from what I can find (also in this mailing list) is that it should not block the connection.
Frankly, I couldn't care less about the errors themselves, as long as the connection is still allowed.
However, this is not what I'm experiencing. What I'm seeing is that when the error occurs, my outlook apps can no longer connect to the server.
What am I doing wrong...?
Thanks!
J. Dierkse
HTH,
Alex.
>
> The relevant portion of my configuration is as follows.
>
> -snip-
>
> acl local dst 192.168.0.0/16
>
> acl microsoft dstdomain .microsoft.com
> acl microsoft dstdomain .teams.microsoft.com
> acl microsoft dstdomain .office365.com
> acl microsoft dstdomain .office.com
> acl microsoft dstdomain .office.net
> acl microsoft dstdomain .outlook.com
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump cert=/etc/certificates/SquidCA.pem
> key=/etc/certificates/SquidCA.pem
>
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 16MB
> sslcrtd_children 8 startup=1 idle=1
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> ssl_bump peek step1 !microsoft !local
> ssl_bump splice step2 !microsoft !local
> ssl_bump splice step3 !microsoft !local
>
> -snip-
>
> Thanks!
>
>
> Best Regards,
>
>
> J. Dierkse
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200605/eb0cd035/attachment.html>
More information about the squid-users
mailing list