Re: [squid-users] disable https inspection for licensing some apps

2022-05-19 Thread robert k Wild
I worked it out, my "no Https interception" was working on websites if I
put the URL in that txt file

nointercept.txt

But I needed to make a proxy.ini file as well on the host in question, for
it to point to the proxy

Once it pointed to the proxy I could then monitor the traffic and see what
URL I needed to whitelist and to put in the no SSL interception

Once I did that all good

Thanks guys, much appreciated
On Wed, 18 May 2022, 20:21 Eliezer Croitoru,  wrote:

>  Hey Alex,
>
> I have started working on some external_acl helper that will probe the
> server certificate like what ufdbguard does but will be written
> probably in another language then C++ ... ie scripting or GoLang or Rust.
> The idea is that there will be some cache or DB that will store information
> about an IP+port paired with SNI.
> A storage engine like a cache would help to "know" enough about the server
> to ultimately decide if there is a risk in splicing this specific
> connection.
> It's also possible that the first time that the request will pass via thru
> the proxy it will be bumped to probe the connection for more information
> when possible.
>
> In general for commercial products there is either a CDN service or a
> dedicated service.
> These usually are not the risk for the proxy users and can be spliced.
> The main issue is if one service on a specific IP serves  more then one
> domain that contains different content.
> The best example is google CDN network that might serve on the same IP and
> certificate and SNI(because of HTTP/2.0) different domains.
>
> Eliezer
>
> 
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
>
> -Original Message-
> From: squid-users  On Behalf Of
> Alex Rousskov
> Sent: Wednesday, May 18, 2022 21:39
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] disable https inspection for licensing some apps
>
> On 5/18/22 12:28, robert k Wild wrote:
>
> > acl DiscoverSNIHost at_step SslBump1
> > acl NoSSLIntercept ssl::server_name
> "/usr/local/squid/etc/nointercept.txt"
> > ssl_bump peek DiscoverSNIHost
> > ssl_bump splice NoSSLIntercept
> > ssl_bump bump all
>
> OK, the above configuration makes the splice/bump decision based on
> plain text information provided by the TLS client.
>
>
> > and in the nointercept.txt
> > i have the url in there
>
> ssl::server_name needs a host/domain name, not a regular URL. No URLs
> are exchanged in plain text between TLS client and the origin server.
>
> Please note that, even after adjusting nointercept.txt to contain domain
> name(s), the above configuration may not always work in modern Squids:
> It will work when the client sends a matching domain name
>
> * in the CONNECT request headers (and sends no TLS SNI at all)
> * in the CONNECT request headers and in TLS SNI
> * in TLS SNI (the CONNECT request headers should not matter).
>
> It will also work when a CONNECT request is using an IP address that
> reverse-resolves to a matching domain name (which is not overwritten by
> a mismatching SNI).
>
> In all other cases, Squid will bump traffic even if it is ultimately
> going to the server named in nointercept.txt.
>
> There is no configuration that will address all possible cases in
> general. TLS makes that impossible (at least not without probing TLS
> origin servers which is something Squid does not do yet).
>
>
> HTH,
>
> Alex.
>
>
> >, also i have it in the url white list so it can actually see the url
> >
> > is there something else i need to add for this to work
> >
> > or maybe some websites ie license website just dont like it going through
> a proxy
> >
> >
> > On Wed, 18 May 2022 at 16:57, robert k Wild  > <mailto:robertkw...@gmail.com>> wrote:
> >
> > hi all,
> >
> > i have squid proxy configured as ssl bump and i white list some
> > websites only
> >
> > but for some websites i dont want to inspect https traffic as it
> > breaks the cert when i want to license some apps via the url
> > (whitelist url)
> >
> > how can i disable https inspection for some websites please
> >
> > many thanks,
> > rob
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] disable https inspection for licensing some apps

2022-05-18 Thread Eliezer Croitoru
 Hey Alex,

I have started working on some external_acl helper that will probe the
server certificate like what ufdbguard does but will be written 
probably in another language then C++ ... ie scripting or GoLang or Rust.
The idea is that there will be some cache or DB that will store information
about an IP+port paired with SNI.
A storage engine like a cache would help to "know" enough about the server
to ultimately decide if there is a risk in splicing this specific
connection.
It's also possible that the first time that the request will pass via thru
the proxy it will be bumped to probe the connection for more information
when possible.

In general for commercial products there is either a CDN service or a
dedicated service.
These usually are not the risk for the proxy users and can be spliced.
The main issue is if one service on a specific IP serves  more then one
domain that contains different content.
The best example is google CDN network that might serve on the same IP and
certificate and SNI(because of HTTP/2.0) different domains.

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-users  On Behalf Of
Alex Rousskov
Sent: Wednesday, May 18, 2022 21:39
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] disable https inspection for licensing some apps

On 5/18/22 12:28, robert k Wild wrote:

> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointercept.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all

OK, the above configuration makes the splice/bump decision based on 
plain text information provided by the TLS client.


> and in the nointercept.txt
> i have the url in there

ssl::server_name needs a host/domain name, not a regular URL. No URLs 
are exchanged in plain text between TLS client and the origin server.

Please note that, even after adjusting nointercept.txt to contain domain 
name(s), the above configuration may not always work in modern Squids: 
It will work when the client sends a matching domain name

* in the CONNECT request headers (and sends no TLS SNI at all)
* in the CONNECT request headers and in TLS SNI
* in TLS SNI (the CONNECT request headers should not matter).

It will also work when a CONNECT request is using an IP address that 
reverse-resolves to a matching domain name (which is not overwritten by 
a mismatching SNI).

In all other cases, Squid will bump traffic even if it is ultimately 
going to the server named in nointercept.txt.

There is no configuration that will address all possible cases in 
general. TLS makes that impossible (at least not without probing TLS 
origin servers which is something Squid does not do yet).


HTH,

Alex.


>, also i have it in the url white list so it can actually see the url
> 
> is there something else i need to add for this to work
> 
> or maybe some websites ie license website just dont like it going through
a proxy
> 
> 
> On Wed, 18 May 2022 at 16:57, robert k Wild  <mailto:robertkw...@gmail.com>> wrote:
> 
> hi all,
> 
> i have squid proxy configured as ssl bump and i white list some
> websites only
> 
> but for some websites i dont want to inspect https traffic as it
> breaks the cert when i want to license some apps via the url
> (whitelist url)
> 
> how can i disable https inspection for some websites please
> 
> many thanks,
> rob
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> 
> 
> -- 
> Regards,
> 
> Robert K Wild.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] disable https inspection for licensing some apps

2022-05-18 Thread Alex Rousskov

On 5/18/22 12:28, robert k Wild wrote:


acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointercept.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all


OK, the above configuration makes the splice/bump decision based on 
plain text information provided by the TLS client.




and in the nointercept.txt
i have the url in there


ssl::server_name needs a host/domain name, not a regular URL. No URLs 
are exchanged in plain text between TLS client and the origin server.


Please note that, even after adjusting nointercept.txt to contain domain 
name(s), the above configuration may not always work in modern Squids: 
It will work when the client sends a matching domain name


* in the CONNECT request headers (and sends no TLS SNI at all)
* in the CONNECT request headers and in TLS SNI
* in TLS SNI (the CONNECT request headers should not matter).

It will also work when a CONNECT request is using an IP address that 
reverse-resolves to a matching domain name (which is not overwritten by 
a mismatching SNI).


In all other cases, Squid will bump traffic even if it is ultimately 
going to the server named in nointercept.txt.


There is no configuration that will address all possible cases in 
general. TLS makes that impossible (at least not without probing TLS 
origin servers which is something Squid does not do yet).



HTH,

Alex.



, also i have it in the url white list so it can actually see the url

is there something else i need to add for this to work

or maybe some websites ie license website just dont like it going through a 
proxy


On Wed, 18 May 2022 at 16:57, robert k Wild > wrote:


hi all,

i have squid proxy configured as ssl bump and i white list some
websites only

but for some websites i dont want to inspect https traffic as it
breaks the cert when i want to license some apps via the url
(whitelist url)

how can i disable https inspection for some websites please

many thanks,
rob

-- 
Regards,


Robert K Wild.



--
Regards,

Robert K Wild.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] disable https inspection for licensing some apps

2022-05-18 Thread robert k Wild
im using this

# SSL bump rulesacl DiscoverSNIHost at_step SslBump1acl NoSSLIntercept
ssl::server_name "/usr/local/squid/etc/nointercept.txt"ssl_bump peek
DiscoverSNIHostssl_bump splice NoSSLInterceptssl_bump bump all

and in the nointercept.txt

i have the url in there, also i have it in the url white list so it
can actually see the url

is there something else i need to add for this to work

or maybe some websites ie license website just dont like it going
through a proxy


On Wed, 18 May 2022 at 16:57, robert k Wild  wrote:

> hi all,
>
> i have squid proxy configured as ssl bump and i white list some websites
> only
>
> but for some websites i dont want to inspect https traffic as it breaks
> the cert when i want to license some apps via the url (whitelist url)
>
> how can i disable https inspection for some websites please
>
> many thanks,
> rob
>
> --
> Regards,
>
> Robert K Wild.
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[squid-users] disable https inspection for licensing some apps

2022-05-18 Thread robert k Wild
hi all,

i have squid proxy configured as ssl bump and i white list some websites
only

but for some websites i dont want to inspect https traffic as it breaks the
cert when i want to license some apps via the url (whitelist url)

how can i disable https inspection for some websites please

many thanks,
rob

-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users