[squid-users] Best way to prevent squid from bumping CONNECTs
Scott
3m9n51s2ewut at thismonkey.com
Mon May 4 02:41:08 UTC 2020
On Thu, Apr 30, 2020 at 04:05:43PM -0400, Alex Rousskov wrote:
> On 4/30/20 12:10 PM, Scott wrote:
>
> >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
> >> are sent to the SslBump code.
> >>
> >> * For https_port configured with an ssl-bump flag, all traffic is sent
> >> to the SslBump code (by faking a corresponding HTTP CONNECT request).
>
>
> > These `fake' CONNECT requests I assume only contain the IP address of the
> > upstream server, not the hostname, as intercepted SSL connections are TCP
> > OPENs.
>
> Modern Squid replaces TCP-derived destination IP address with TLS
> SNI-derived domain name when generating the second fake CONNECT request.
> The second CONNECT is generated during SslBump step2, after parsing TLS
> client handshake.
>
>
> > Am I right then in saying that using ssl::server_name is useless for bumped
> > intercepted connections?
>
> It may be useful for ACLs checked during SslBump step2 (because it will
> check the TLS client SNI-derived domain name) and during step3 (when it
> will check TLS server certificate-derived CN and SubjectAltName).
acl tcp_open_connect_sslbump at_step SslBump1
acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni"
acl guest_net_src src x.y.z.0/24
ssl_bump peek tcp_open_connect_sslbump
ssl_bump splice ssl_splice_sni
ssl_bump bump guest_net_src
ssl_bump splice
where I splice instead of bump for destinations that are often used with
certificate pinning software (.apple.com with iOS for example).
https://wiki.squid-cache.org/Features/SslPeekAndSplice says "At no point
during ssl_bump processing will dstdomain ACL work".
Does that also imply that `ssl::server_name' won't work (or is not required)
for `http_access' statements?
I have config like this:
acl no_proxy_dstdomain dstdomain "/usr/local/etc/squid/acls/no_proxy_dstdomain"
http_access deny no_proxy_dstdomain
acl no_proxy_sni ssl::server_name "/usr/local/etc/squid/acls/no_proxy_dstdomain"
http_access deny no_proxy_sni
Are the last two lines redundant?
Or are they required for spliced connections?
Or should I just convert those lines into ssl_bump terminate no_proxy_sni ?
And finally, I want to use a different outgoing tcp address for intercepted
connections. What's the best ACL to match those? Or should I just match
explicit proxy connections by port? (ie !myport 3128)
Thanks for your help,
Scott
More information about the squid-users
mailing list