Re: [squid-users] Intercepted connections are not bumped [SOLVED]
On 11/27/23 16:59, Andrea Venturoli wrote: That behaviour is why we typically recommend doing "peek" first Well, I thought this was what I was doing. As I said I had: acl step1 at_step SslBump1 ssl_bump splice !bumphosts !jails ssl_bump splice splicedom ssl_bump peek step1 ssl_bump bump all and I expected "peek step1" would decide what to do first. However, it seems the order of directives matters more and I solved with: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice !bumphosts !jails ssl_bump splice splicedom ssl_bump bump all Both seems to work equally, however, when explicitly using the proxy. bye & Thanks av. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Intercepted connections are not bumped
On 11/27/23 11:11, Amos Jeffries wrote: First off, thanks for answering. For further assistance please also show your http_access and ACL config lines. They will be needed for a better analysis of what is going on. I'll start from here. It's quite long, but a reduced example is: acl localnet src 10.1.2.0/24 acl bumphosts src 10.1.2.18 acl SSL_ports port 443 acl SSL_ports port 563 801 3001 8443 19996 19997 acl Safe_ports port 80 # http acl Safe_ports port 800 acl ftptraffic myportname ftpport acl fetched_certificate transaction_initiator certificate-fetching acl splicedom ssl::server_name_regex -i "/usr/local/etc/squid/nobumpsites" acl step1 at_step SslBump1 ssl_bump splice !bumphosts ssl_bump splice splicedom ssl_bump peek step1 ssl_bump bump all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost adaptation_access service_req deny ftptraffic adaptation_access service_resp deny ftptraffic http_access allow localnet http_access allow localhost For the sake of an example, let's say I connect from 10.1.2.18 to www.google.com. FYI, Intercepted traffic first gets interpreted as a CONNECT tunnel to the TCP dst-IP:port and processed by http_access to see if the client is allowed to make that type of connection. Fine. Traffic is in fact allowed. To guess based on the info provided above I suspect that the fake-CONNECT raw-IP does not match your "bumphosts" ACL test. Causing that "ssl_bump splice !bumphosts" to occur. Not sure I understand what you mean: is raw-IP the source (in my case 10.1.2.18) or the destination IP (142.251.209.36)? "bumphosts" ACLs are local clients (those that SSLBump should be applied to): 10.1.2.18 is in this list (in fact it gets SSLBump if explicitly using the proxy). This is what I see in the logs for an intercepted connection (after it's closed): 1701100166.601 2203 10.1.2.18 TCP_TUNNEL/500 6622 CONNECT 142.251.209.36:443 - ORIGINAL_DST/142.251.209.36 - This is what I see using a proxy-aware application: 1701100243.374172 10.1.2.18 TCP_MISS/200 49333 GET https://www.google.com/? - HIER_DIRECT/142.251.209.36 text/html That behaviour is why we typically recommend doing "peek" first, then the splice checks can be based on whatever TLS SNI value is found. I don't think it should matter: neither www.google.com nor 142.251.209.36 are in any ACL. Or did I understand wrong? Is this needed for intercepted SSLBump? I think it worked in the past: has anything changed in this regard with Squid 6? Changed since what version? Over time a lot of small changes can add up to large differences. I first noticed this on 6.4. Unfortunately I don't remember which version I was using at the time I set this up, maybe 5.x, maybe even 4.x. bye & Thanks av. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Intercepted connections are not bumped
On 23/11/23 23:05, Andrea Venturoli wrote: Hello. I've got the following config: ... http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ... acl step1 at_step SslBump1 ssl_bump splice !bumphosts ssl_bump splice splicedom ssl_bump peek step1 ssl_bump bump all ... So I've got port 8080 where proxy-aware client connect and 3129, which is feeded intercepted https connection by ipfw. Problem is: if a client connects explicitly via proxy (port 8080) it gets SSLBumped; if a client simply connects to its destination https port (so directed to 3129) it is tunneled. Anything wrong in my config? FYI, Intercepted traffic first gets interpreted as a CONNECT tunnel to the TCP dst-IP:port and processed by http_access to see if the client is allowed to make that type of connection. To guess based on the info provided above I suspect that the fake-CONNECT raw-IP does not match your "bumphosts" ACL test. Causing that "ssl_bump splice !bumphosts" to occur. That behaviour is why we typically recommend doing "peek" first, then the splice checks can be based on whatever TLS SNI value is found. For further assistance please also show your http_access and ACL config lines. They will be needed for a better analysis of what is going on. I think it worked in the past: has anything changed in this regard with Squid 6? Changed since what version? Over time a lot of small changes can add up to large differences. HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] Intercepted connections are not bumped
Hello. I've got the following config: ... http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ... acl step1 at_step SslBump1 ssl_bump splice !bumphosts ssl_bump splice splicedom ssl_bump peek step1 ssl_bump bump all ... So I've got port 8080 where proxy-aware client connect and 3129, which is feeded intercepted https connection by ipfw. Problem is: if a client connects explicitly via proxy (port 8080) it gets SSLBumped; if a client simply connects to its destination https port (so directed to 3129) it is tunneled. Anything wrong in my config? I think it worked in the past: has anything changed in this regard with Squid 6? bye & Thanks av. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users