Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-22 Thread Christos Tsantilas 

On 22/2/22 9:45 μ.μ., Eliezer Croitoru wrote:

Just To mention that once Squid is not splicing the connection it would have
full control in the URL level.

Exactly.

For many HTTP2 sites the SNI does not provide enough info for 
splicing/bumping decision.


The google sites is one of them. You can not safely bump google.com or 
youtube.com and splice gmail.com. You have to weighing  the risks and 
probably splice all google sites including the gmail.com.




I do not know the scenario but I have yet to have seen a similar case and
it's probably because I am bumping
almost all connections.


... and because squid while proxying uses HTTP/1.1 protocol not HTTP/2.

Regards,
   Christos



Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-22 Thread Eliezer Croitoru 
Just To mention that once Squid is not splicing the connection it would have
full control in the URL level.
I do not know the scenario but I have yet to have seen a similar case and
it's probably because I am bumping
almost all connections.

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-users  On Behalf Of
Amos Jeffries
Sent: Tuesday, February 22, 2022 16:32
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Splice certain SNIs which served by the same IP

On 23/02/22 01:05, Ben Goz wrote:
> By the help of God.
> 
> If I'm using the self signed certificate that I created for the ssl 
> bump, then the browser considers it as the same certificate for any 
> domain I'm connecting to?
> 

Key thing to remember is that TLS server certificate validates the 
*server*, not the URL domain name.

HTTP/2 brings the feature of alternate server names. So once connected 
and talking, a server can tell the client a bunch of other domains that 
can be fetched from it.

Since you are using SSL-Bump "splice" to setup the connection Squid has 
no control or interaction over what the server and client tell each 
other within that connection.


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-22 Thread Amos Jeffries 

On 23/02/22 01:05, Ben Goz wrote:

By the help of God.

If I'm using the self signed certificate that I created for the ssl 
bump, then the browser considers it as the same certificate for any 
domain I'm connecting to?




Key thing to remember is that TLS server certificate validates the 
*server*, not the URL domain name.


HTTP/2 brings the feature of alternate server names. So once connected 
and talking, a server can tell the client a bunch of other domains that 
can be fetched from it.


Since you are using SSL-Bump "splice" to setup the connection Squid has 
no control or interaction over what the server and client tell each 
other within that connection.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-22 Thread Ben Goz 
By the help of God.

If I'm using the self signed certificate that I created for the ssl bump,
then the browser considers it as the same certificate for any domain I'm
connecting to?

‫בתאריך יום ג׳, 22 בפבר׳ 2022 ב-7:35 מאת ‪Eliezer Croitoru‬‏ <‪
ngtech1...@gmail.com‬‏>:‬

> Thanks Christos,
>
> I was aware of such things but haven't seen such a case.
> Is there any way to "reproduce" this?
> I believe it should be documented in the wiki.
>
> Thanks,
>
> 
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
>
> -Original Message-
> From: squid-users  On Behalf
> Of Christos Tsantilas
> Sent: Monday, February 21, 2022 11:41
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Splice certain SNIs which served by the same IP
>
> Hi Ben,
>
> When HTTP/2 is used, requests for two different domains may served using
> the same TLS connection if both domains are served from the same remote
> server and use the same TLS certificate.
> There is a description here:
> https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
>
> And a similar problem report here:
> https://bugs.chromium.org/p/chromium/issues/detail?id=1176673
>
> Regards,
> Christos
>
>
> On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> > By the help of God.
> >
> > Hi,
> > Ny squid version is 4.15, using it on tproxy configuration.
> >
> > I'm using ssl bump to intercept https connection, but I want to splice
> > several domains.
> > I have a problem that when I'm splicing some google domains eg.
> > youtube.com <http://youtube.com> then
> > gmail.com <http://gmail.com> domain also spliced.
> >
> > I know that it is very common for google servers to host multiple
> > domains on single server.
> > And I suspect that when I'm splicing for example youtube.com
> > <http://youtube.com> it'll also splices google.com <http://google.com>.
> >
> >   Here are my squid configurations for the ssl bump:
> >
> > https_port  ssl-bump tproxy generate-host-certificates=on
> > options=ALL dynamic_cert_mem_cache_size=4MB
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> > dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
> >
> > acl DiscoverSNIHost at_step SslBump1
> >
> > acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> > acl NoSSLInterceptRegexp ssl::server_name_regex -i
> > "/usr/local/squid/etc/url-no-bump-regexp"
> > ssl_bump splice NoSSLInterceptRegexp_always
> > ssl_bump splice NoSSLIntercept
> > ssl_bump splice NoSSLInterceptRegexp
> > ssl_bump peek DiscoverSNIHost
> > ssl_bump bump all
> >
> >
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-21 Thread Eliezer Croitoru 
Thanks Christos,

I was aware of such things but haven't seen such a case.
Is there any way to "reproduce" this?
I believe it should be documented in the wiki.

Thanks,


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com

-Original Message-
From: squid-users  On Behalf Of 
Christos Tsantilas
Sent: Monday, February 21, 2022 11:41
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Splice certain SNIs which served by the same IP

Hi Ben,

When HTTP/2 is used, requests for two different domains may served using 
the same TLS connection if both domains are served from the same remote 
server and use the same TLS certificate.
There is a description here:
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

And a similar problem report here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1176673

Regards,
Christos


On 14/2/22 3:49 μ.μ., Ben Goz wrote:
> By the help of God.
> 
> Hi,
> Ny squid version is 4.15, using it on tproxy configuration.
> 
> I'm using ssl bump to intercept https connection, but I want to splice 
> several domains.
> I have a problem that when I'm splicing some google domains eg. 
> youtube.com <http://youtube.com> then
> gmail.com <http://gmail.com> domain also spliced.
> 
> I know that it is very common for google servers to host multiple 
> domains on single server.
> And I suspect that when I'm splicing for example youtube.com 
> <http://youtube.com> it'll also splices google.com <http://google.com>.
> 
>   Here are my squid configurations for the ssl bump:
> 
> https_port  ssl-bump tproxy generate-host-certificates=on 
> options=ALL dynamic_cert_mem_cache_size=4MB 
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
> dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
> 
> acl DiscoverSNIHost at_step SslBump1
> 
> acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i 
> "/usr/local/squid/etc/url-no-bump-regexp"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
> 
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-21 Thread Christos Tsantilas 

Hi Ben,

When HTTP/2 is used, requests for two different domains may served using 
the same TLS connection if both domains are served from the same remote 
server and use the same TLS certificate.

There is a description here:
   https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

And a similar problem report here:
   https://bugs.chromium.org/p/chromium/issues/detail?id=1176673

Regards,
   Christos


On 14/2/22 3:49 μ.μ., Ben Goz wrote:

By the help of God.

Hi,
Ny squid version is 4.15, using it on tproxy configuration.

I'm using ssl bump to intercept https connection, but I want to splice 
several domains.
I have a problem that when I'm splicing some google domains eg. 
youtube.com  then

gmail.com  domain also spliced.

I know that it is very common for google servers to host multiple 
domains on single server.
And I suspect that when I'm splicing for example youtube.com 
 it'll also splices google.com .


  Here are my squid configurations for the ssl bump:

https_port  ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA


acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i 
"/usr/local/squid/etc/url-no-bump-regexp"

ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-20 Thread Eliezer Croitoru 
Hey Ben,

 

I have seen your email however didn’t had enough time to respond.

I and others need some free time…

I am more then willing to test this issue in my local test environment.

I can test it on Oracle Enterprise Linux 8 with the latest 4.x version.

We can simplify things by creating a very specific environment without any 
unknowns.

You will need to provide the full details of the testing setup and the content 
of:

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i 
"/usr/local/squid/etc/url-no-bump-regexp"



In my environment it works as expected without any issues while I am not user 
ssl::server_name_regex

The docs clearly state:

acl aclname ssl::server_name_regex [-i] \.foo\.com ...

  # regex matches server name obtained from various sources [fast]

 

 

So you should try to use:

acl aclname ssl::server_name [option] .foo.com ...
  # matches server name obtained from various sources [fast]

 

Instead as a starter point.

 

I understand you need some help but I and others have other obligations in life 
so it would happen from time to time

that someone is not free to try and help you.

 

All The Bests,

Eliezer

 

*   If someone would have provided me with enough food and other living 
expenses I might have been free enough to help you.

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> 

 

From: squid-users  On Behalf Of Ben 
Goz
Sent: Thursday, February 17, 2022 14:47
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Splice certain SNIs which served by the same IP

 

By the help of God.

Any insights?

 

Thanks,

Ben

 

‫בתאריך יום ב׳, 14 בפבר׳ 2022 ב-15:49 מאת ‪Ben Goz‏ <‪ 
<mailto:ben.go...@gmail.com> ben.go...@gmail.com‏>:

By the help of God.

 

Hi,

Ny squid version is 4.15, using it on tproxy configuration.

 

I'm using ssl bump to intercept https connection, but I want to splice several 
domains.

I have a problem that when I'm splicing some google domains eg. youtube.com 
<http://youtube.com>  then

gmail.com <http://gmail.com>  domain also spliced.

 

I know that it is very common for google servers to host multiple domains on 
single server.

And I suspect that when I'm splicing for example youtube.com 
<http://youtube.com>  it'll also splices google.com <http://google.com> .

 

 Here are my squid configurations for the ssl bump:

 

https_port  ssl-bump tproxy generate-host-certificates=on options=ALL 
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i 
"/usr/local/squid/etc/url-no-bump-regexp"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

2022-02-17 Thread Ben Goz 
By the help of God.
Any insights?

Thanks,
Ben

‫בתאריך יום ב׳, 14 בפבר׳ 2022 ב-15:49 מאת ‪Ben Goz‬‏ <‪ben.go...@gmail.com
‬‏>:‬

> By the help of God.
>
> Hi,
> Ny squid version is 4.15, using it on tproxy configuration.
>
> I'm using ssl bump to intercept https connection, but I want to splice
> several domains.
> I have a problem that when I'm splicing some google domains eg.
> youtube.com then
> gmail.com domain also spliced.
>
> I know that it is very common for google servers to host multiple domains
> on single server.
> And I suspect that when I'm splicing for example youtube.com it'll also
> splices google.com.
>
>  Here are my squid configurations for the ssl bump:
>
> https_port  ssl-bump tproxy generate-host-certificates=on options=ALL
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA
>
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
> acl NoSSLInterceptRegexp ssl::server_name_regex -i
> "/usr/local/squid/etc/url-no-bump-regexp"
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump splice NoSSLIntercept
> ssl_bump splice NoSSLInterceptRegexp
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Splice certain SNIs which served by the same IP

2022-02-14 Thread Ben Goz 
By the help of God.

Hi,
Ny squid version is 4.15, using it on tproxy configuration.

I'm using ssl bump to intercept https connection, but I want to splice
several domains.
I have a problem that when I'm splicing some google domains eg. youtube.com
then
gmail.com domain also spliced.

I know that it is very common for google servers to host multiple domains
on single server.
And I suspect that when I'm splicing for example youtube.com it'll also
splices google.com.

 Here are my squid configurations for the ssl bump:

https_port  ssl-bump tproxy generate-host-certificates=on options=ALL
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem
dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i
"/usr/local/squid/etc/url-no-bump-regexp"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users