subject:"\[squid\-users\] Squid Peek and splice"

Re: [squid-users] Squid Peek and splice

2016-05-17 Thread Reet Vyas

I have installed squid as my router and below are my iptable rules

 675 39972 DNAT   tcp  --  eth1   *   0.0.0.0/00.0.0.0/0
   tcp dpt:80 to:192.168.0.200:3127
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 redir ports 3127
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:443 redir ports 3129
 2022  120K DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0tcp dpt:443 to:192.168.0.200:3129

Chain INPUT (policy ACCEPT 7028 packets, 770K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 2317 packets, 146K bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 2317 packets, 146K bytes)
 pkts bytes target prot opt in out source
destination
 5923  688K MASQUERADE  all  --  *  eth0192.168.0.0/24
0.0.0.0/0


On Tue, May 17, 2016 at 4:21 PM, admin  wrote:

> I have the same config, but in my logs domain names
>
>
>
>
>
>
> Reet Vyas писал 2016-05-17 15:48:
>
> Here is my txt file, as of now its working but I am getting secure
> connection failed, I want to know if we can customize error message like
> Access Denied .
>
> In logs I am not getting  full URL PFA logs for same. What I have to
> change  in peek and splice  ssl bump to get full URL ?
>
> Logs:
>
> 3481340.025  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 -
> HIER_NONE/- -
> 1463481340.037  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443
> - HIER_NONE/- -
> 1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT
> 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
> 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
> 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
> 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
> 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
> 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT
> 74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 -
> 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT
> 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
> 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 -
> 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 -
> 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT
> 74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 -
> 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 -
> 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT
> 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
> 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT
> 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
> 1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT
> 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
> 1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT
> 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
> 1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT
> 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 -
> 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT
> 74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 -
> 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT
> 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
> 1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT
> 162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 -
> 1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
> 216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 -
> 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT
> 74.125.130.94:443 - ORIGINAL_DST/74.125.130.94 -
> 1463481614.460 70 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT
> 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
> 1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT
> 74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 -
> 146

Re: [squid-users] Squid Peek and splice

2016-05-17 Thread admin

I have the same config, but in my logs domain names 

Reet Vyas писал 2016-05-17 15:48:

> Here is my txt file, as of now its working but I am getting secure connection 
> failed, I want to know if we can customize error message like Access Denied . 
> 
> In logs I am not getting  full URL PFA logs for same. What I have to change  
> in peek and splice  ssl bump to get full URL ? 
> 
> Logs: 
> 
> 3481340.025  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 [1] - 
> HIER_NONE/- - 
> 1463481340.037  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 
> [1] - HIER_NONE/- - 
> 1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT 
> 74.125.68.100:443 [2] - ORIGINAL_DST/74.125.68.100 [3] - 
> 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 
> 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 
> 74.125.130.189:443 [6] - ORIGINAL_DST/74.125.130.189 [7] - 
> 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT 
> 74.125.68.239:443 [8] - ORIGINAL_DST/74.125.68.239 [9] - 
> 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT 
> 74.125.68.100:443 [2] - ORIGINAL_DST/74.125.68.100 [3] - 
> 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 
> 216.58.199.141:443 [10] - ORIGINAL_DST/216.58.199.141 [11] - 
> 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 
> 216.58.220.5:443 [12] - ORIGINAL_DST/216.58.220.5 [13] - 
> 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT 
> 74.125.68.132:443 [14] - ORIGINAL_DST/74.125.68.132 [15] - 
> 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 
> 74.125.200.138:443 [16] - ORIGINAL_DST/74.125.200.138 [17] - 
> 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT 
> 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT 
> 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 
> 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT 
> 74.125.130.189:443 [6] - ORIGINAL_DST/74.125.130.189 [7] - 
> 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT 
> 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT 
> 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT 
> 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT 
> 216.58.199.165:443 [24] - ORIGINAL_DST/216.58.199.165 [25] - 
> 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT 
> 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT 
> 74.125.130.101:443 [26] - ORIGINAL_DST/74.125.130.101 [27] - 
> 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT 
> 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT 
> 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT 
> 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT 
> 162.213.33.48:443 [30] - ORIGINAL_DST/162.213.33.48 [31] - 
> 1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT 
> 216.58.199.131:443 [18] - ORIGINAL_DST/216.58.199.131 [19] - 
> 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT 
> 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 
> 216.58.220.3:443 [32] - ORIGINAL_DST/216.58.220.3 [33] - 
> 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT 
> 74.125.130.94:443 [34] - ORIGINAL_DST/74.125.130.94 [35] - 
> 1463481614.460 70 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT 
> 216.58.199.133:443 [4] - ORIGINAL_DST/216.58.199.133 [5] - 
> 1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT 
> 74.125.200.189:443 [36] - ORIGINAL_DST/74.125.200.189 [37] - 
> 1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT 
> 216.58.199.142:443 [20] - ORIGINAL_DST/216.58.199.142 [21] - 
> 1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT 
> 216.58.199.206:443 [22] - ORIGINAL_DST/216.58.199.206 [23] - 
> 1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT 
> 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT 
> 216.58.199.129:443 [28] - ORIGINAL_DST/216.58.199.129 [29] - 
> 1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT 
> 216.58.199.165:443 [24] - ORIGINAL_DST/216.58.199.16 [38] 
> 
> On Tue, May 17,

Re: [squid-users] Squid Peek and splice

2016-05-17 Thread Reet Vyas

Here is my txt file, as of now its working but I am getting secure
connection failed, I want to know if we can customize error message like
Access Denied .

In logs I am not getting  full URL PFA logs for same. What I have to change
 in peek and splice  ssl bump to get full URL ?

Logs:

3481340.025  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 -
HIER_NONE/- -
1463481340.037  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443
- HIER_NONE/- -
1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT
74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 -
1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 -
1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 -
1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT
74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 -
1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 -
1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 -
1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT
74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 -
1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT
162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 -
1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 -
1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT
74.125.130.94:443 - ORIGINAL_DST/74.125.130.94 -
1463481614.460 70 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT
74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 -
1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.16





On Tue, May 17, 2016 at 3:33 PM, Reet Vyas  wrote:

> Here is my txt file, as of now its working but I am getting secure
> connection failed, I want to know if we can customize error message like
> Access Denied .
>
> In logs I am not getting  full URL PFA logs for same. What I have to
> change  in peek and splice  ssl bump to get full URL ?
>
> On Tue, May 17, 2016 at 3:21 PM, admin  wrote:
>
>>
>>
>> get your blocked_https.txt
>>
>>
>>
>>
>> Reet Vyas писал 2016-05-17 14:47:
>>
>> Hi
>>
>> Below is my squid configuration
>>
>> Squid : 3.5.13
>> OS ubuntu 14.04
>>
>>
>> http_port 3128
>> http_port 3127 intercept
>> https_port 3129 intercept ssl-bump generate-host-c

Re: [squid-users] Squid Peek and splice

2016-05-17 Thread admin

get your blocked_https.txt 

Reet Vyas писал 2016-05-17 14:47:

> Hi 
> 
> Below is my squid configuration  
> 
> Squid : 3.5.13 
> OS ubuntu 14.04 
> 
> http_port 3128 
> http_port 3127 intercept 
> https_port 3129 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt 
> key=/etc/squid/ssl_certs/squid.key 
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>  
> 
> always_direct allow all 
> sslproxy_cert_error allow all 
> sslproxy_flags DONT_VERIFY_PEER 
> acl blocked ssl::server_name  "/etc/squid/blocked_https.txt" 
> acl step1 at_step SslBump1 
> ssl_bump peek step1 
> ssl_bump terminate blocked 
> ssl_bump splice all 
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB 
> sslcrtd_children 16 startup=1 idle=1 
> sslproxy_capath /etc/ssl/certs 
> sslproxy_cert_error allow all 
> ssl_unclean_shutdown on 
> 
> I want to block facebook.com [1] so I have added url in .txt file. 
> 
> Its not blocking anything. 
> 
> Please let me know what I have to change in this configuration 
> 
> I getting below logs in squid 
> 
> 1463478160.585551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478160.585550 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478161.147562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478161.147561 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478163.982553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478163.982552 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478163.994565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478163.994564 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443 
> [4] - HIER_NONE/- - 
> 1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT 
> geo.query.yahoo.com:443 [5] - ORIGINAL_DST/106.10.137.175 [6] - 
> 
> 1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET 
> http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 [7] - 
> 1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443 
> [8] - HIER_NONE/- - 
> 1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT 
> translate.googleapis.com:443 [9] - ORIGINAL_DST/74.125.200.239 [10] - 
> 1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 
> [11] - HIER_NONE/- - 
> 1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT 
> clients4.google.com:443 [12] - ORIGINAL_DST/216.58.199.142 [13] - 
> 1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443 
> [14] - HIER_NONE/- - 
> 1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT 
> graph.facebook.com:443 [15] - ORIGINAL_DST/31.13.79.246 [16] - 
> 1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET 
> http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 [17] - 
> 1463478231.727555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478231.727555 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478232.311572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 
> [2] - HIER_NONE/- - 
> 1463478232.311571 192.168.0.66 TAG_NONE/503 0 CONNECT 
> freevideodownloader.co:443 [3] - HIER_NONE/- - 
> 1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443 
> [18] - HIER_NONE/- - 
> 1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT 
> 0.client-channel.google.com:443 [19] - ORIGINAL_DST/74.125.200.189 [20] - 
> 1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 
> [11] - HIER_NONE/- - 
> 1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT 
> clients5.google.com:443 [21] - ORIGINAL_DST/216.58.199.142 [13] - 
> 1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443 
> [22] - HIER_NONE/- - 
> 1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT 
> geo.yahoo.com:443 [23] - ORIGINAL_DST/106.10.199.11 [24] - 
> 1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET 
> http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data
>  - ORIGINAL_DST/216.58.220.3 [25] text/html 
> 
> On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries  wrote:
> 
>> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
>>> Hi Amos/Yuri,
>>> 
>>> Currently my squid is configured with ssl bump, now I want to use peek and
>>> splice. I read in some forum that we don't need to install certificate on
>>> client's machine.
>>> 
>> 
>> Splice does not require it. But what you want to do w

Re: [squid-users] Squid Peek and splice

2016-05-17 Thread Reet Vyas

Hi

Below is my squid configuration

Squid : 3.5.13
OS ubuntu 14.04


http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
key=/etc/squid/ssl_certs/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 16 startup=1 idle=1
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
ssl_unclean_shutdown on

I want to block facebook.com so I have added url in .txt file.

Its not blocking anything.

Please let me know what I have to change in this configuration

I getting below logs in squid


1463478160.585551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478160.585550 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478161.147562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478161.147561 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.982553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.982552 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.994565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.994564 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443
- HIER_NONE/- -
1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT
geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 -


1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 -
1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443
- HIER_NONE/- -
1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT
translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 -
1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT
clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443
- HIER_NONE/- -
1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT
graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 -
1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 -
1463478231.727555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478231.727555 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478232.311572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478232.311571 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443
- HIER_NONE/- -
1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT
0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 -
1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT
clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443
- HIER_NONE/- -
1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT
geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 -
1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET
http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data
- ORIGINAL_DST/216.58.220.3 text/html


On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries  wrote:

> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
> > Hi Amos/Yuri,
> >
> > Currently my squid is configured with ssl bump, now I want to use peek
> and
> > splice. I read in some forum that we don't need to install certificate on
> > client's machine.
> >
>
> Splice does not require it. But what you want to do with Squid may
> prevent splice being used. So "it depends" ...
>
>
> > As I have already asked before in mailing list to install SSL certificate
> > on Android devices, which is not working.
> >
> > So my question is If I want to use peek and splice for example I want
> https
> > filtering for
>
>  ... on how you define "filter".
>
> > proxy websites
>
> Not sure what you mean by that term.
>
> > and I dont want ssl for bank websites and
> > facebook youtube and gmail. how will it work? Do i need to install SSL
>

Re: [squid-users] Squid Peek and splice

2016-05-13 Thread Amos Jeffries

On 13/05/2016 5:58 p.m., Reet Vyas wrote:
> Hi Amos/Yuri,
> 
> Currently my squid is configured with ssl bump, now I want to use peek and
> splice. I read in some forum that we don't need to install certificate on
> client's machine.
> 

Splice does not require it. But what you want to do with Squid may
prevent splice being used. So "it depends" ...

> As I have already asked before in mailing list to install SSL certificate
> on Android devices, which is not working.
> 
> So my question is If I want to use peek and splice for example I want https
> filtering for 

 ... on how you define "filter".

> proxy websites 

Not sure what you mean by that term.

> and I dont want ssl for bank websites and
> facebook youtube and gmail. how will it work? Do i need to install SSL
> certifcate on client or not, I am bit confused with peek and splice thing.

When you intercept port 443 normally only the raw-IP is available from
TCP. Peek allows Squid to get the server name the client was trying to
connect to out of the TLS. So that Squid can handle the intercepted
connection as if it had received a CONNECT message (which usually have
server/domain names).

Splicing can be thought of as handling a intercepted port 443 connection
as if it were a CONNECT message, with no decryption. It is treated as a
single "thing", with some limited control possibilities.

So...

In order to bump (decrypt) some traffic and splice (not decrypt) other
traffic you need to have a way to decide which type is being dealt with.
That is the peek or stare actions - to get data out of the TLS handshake
for you to use in ACL decisions.

You might now want to re-read the SslPeekAndSplice documentation again
to see if you understand it better. I skipped a lot of important details
to make the description clear.

> 
> Please let me know is that possible to configure squid 3.5.19 in such a way
> so that it will bump  only proxy websites not FB youtube etc.
> 

Ah. So what are these "proxy websites" you speak of ?

One thing you need to be clear about is that once the TCP packets enter
Squid they *have* to be "proxied". There is no way to undo TCP accept()
and read() operations. But there are many ways of handling them that
Squid can do.

PS. you could post your existing config so we can suggest alterations to
it that will lead to it doing your new policy. That can be another way
to learn how the relevant-to-you part of the features work without
diving into the full complexity of what *might* be doable.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Peek and splice

2016-05-12 Thread Reet Vyas

Hi Amos/Yuri,

Currently my squid is configured with ssl bump, now I want to use peek and
splice. I read in some forum that we don't need to install certificate on
client's machine.

As I have already asked before in mailing list to install SSL certificate
on Android devices, which is not working.

So my question is If I want to use peek and splice for example I want https
filtering for  proxy websites  and I dont want ssl for bank websites and
facebook youtube and gmail. how will it work? Do i need to install SSL
certifcate on client or not, I am bit confused with peek and splice thing.

Please let me know is that possible to configure squid 3.5.19 in such a way
so that it will bump  only proxy websites not FB youtube etc.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Peek and splice

Re: [squid-users] Squid Peek and splice

Re: [squid-users] Squid Peek and splice

Re: [squid-users] Squid Peek and splice

Re: [squid-users] Squid Peek and splice

Re: [squid-users] Squid Peek and splice

[squid-users] Squid Peek and splice

7 matches

Site Navigation

Mail list logo

Footer information