Config first: #################################################### acl localnet src 192.168.1.0/24
acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek step1 all #https_server_names.txt has \.google\.com, \.yahoo\.com, \.msn\.com acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/https_server_names.txt" http_access allow all ssl_bump bump allowed_https_sites ssl_bump terminate !allowed_https_sites sslproxy_cert_error allow all sslproxy_capath /etc/ssl/certs sslproxy_flags DONT_VERIFY_PEER sslproxy_options ALL sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode access_log syslog:daemon.info mine refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /opt/var #################################################### so the above works to bump and filter out (the order of these lines absolutely seemed to matter) if the site you go to isn't in the allowed_https_sites acl. The sticking point is the http_access....the above will filter https based on the allowed_https_server_names.txt, but completely allows ALL http, so this isn't complete yet. Below is going to a site in the allowed_https_sites acl: [08:59:44 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com DEBUG output created by Wget 1.16 on linux-gnu. URI encoding = ‘UTF-8’ --2015-05-30 08:59:57-- https://www.msn.com/ Certificates loaded: 173 Resolving www.msn.com (www.msn.com)... 204.79.197.203 Caching www.msn.com => 204.79.197.203 Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected. Created socket 4. Releasing 0x10503f98 (new refcount 1). ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: www.msn.com Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK <snip> May 30 08:59:57 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:57 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" www.msn.com 200 0 TAG_NONE:ORIGINAL_DST peek May 30 08:59:58 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:58 -0600] "GET https://www.msn.com/ HTTP/1.1" www.msn.com 200 38288 TCP_MISS:ORIGINAL_DST bump Going to a site not in the allowed_https_sites acl: [09:02:12 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.weather.com DEBUG output created by Wget 1.16 on linux-gnu. URI encoding = ‘UTF-8’ --2015-05-30 09:04:57-- https://www.weather.com/ Certificates loaded: 173 Resolving www.weather.com (www.weather.com)... 96.17.8.161, 96.17.8.138, 96.17.8.178, ... Caching www.weather.com => 96.17.8.161 96.17.8.138 96.17.8.178 96.17.8.171 Connecting to www.weather.com (www.weather.com)|96.17.8.161|:443... connected. Created socket 4. Releasing 0x1098c108 (new refcount 1). GnuTLS: The TLS connection was non-properly terminated. Closed fd 4 Unable to establish SSL connection. May 30 09:04:57 analysis squid: 192.168.1.73 - - [30/May/2015:09:04:57 -0600] "CONNECT 96.17.8.161:443 HTTP/1.1" www.weather.com 200 0 TAG_NONE:HIER_NONE peek However, changing http_access to http_access allow allowed_https_sites I get: [08:59:58 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com DEBUG output created by Wget 1.16 on linux-gnu. URI encoding = ‘UTF-8’ --2015-05-30 09:02:12-- https://www.msn.com/ Certificates loaded: 173 Resolving www.msn.com (www.msn.com)... 204.79.197.203 Caching www.msn.com => 204.79.197.203 Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected. Created socket 4. Releasing 0x10515f98 (new refcount 1). The certificate's owner does not match hostname ‘www.msn.com’ May 30 09:02:12 analysis squid: 192.168.1.73 - - [30/May/2015:09:02:12 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 TCP_DENIED:HIER_NONE peek Notice that peek did not get the SNI name per my %ssl::>sni in my logging statement. So as of now I have been unable to figure out how to use access control with both http and https. I can do one or the other, but not both so far. Of interest, redirects from http to https do not appear to work [08:37:39 jlay@powerbook:~/test$ wget www.yahoo.com --2015-05-30 08:37:44-- http://www.yahoo.com/ Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.45, 206.190.36.105, 2001:4998:c:a06::2:4008 Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.yahoo.com/ [following] --2015-05-30 08:37:44-- https://www.yahoo.com/ Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:443... connected. ERROR: The certificate of ‘www.yahoo.com’ is not trusted. ERROR: The certificate of ‘www.yahoo.com’ hasn't got a known issuer. May 30 08:37:44 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:44 -0600] "GET http://www.yahoo.com/ HTTP/1.1" - 301 1812 TCP_MISS:ORIGINAL_DST - May 30 08:37:45 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:45 -0600] "CONNECT 206.190.36.45:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek Whereas direct does: [08:37:45 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.yahoo.com DEBUG output created by Wget 1.16 on linux-gnu. URI encoding = ‘UTF-8’ --2015-05-30 08:38:27-- https://www.yahoo.com/ Certificates loaded: 173 Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.105, 206.190.36.45, 2001:4998:c:a06::2:4008 Caching www.yahoo.com => 206.190.36.105 206.190.36.45 2001:4998:c:a06::2:4008 Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.105|:443... connected. Created socket 4. Releasing 0x107800d8 (new refcount 1). ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: www.yahoo.com Connection: Keep-Alive <snip> ---response end--- 200 OK cdm: 1cdm: 1cdm: 1Registered socket 4 for persistent reuse. URI content encoding = ‘utf-8’ Length: unspecified [text/html] Saving to: ‘index.html’ May 30 08:38:27 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:27 -0600] "CONNECT 206.190.36.105:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek May 30 08:38:28 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:28 -0600] "GET https://www.yahoo.com/ HTTP/1.1" www.yahoo.com 200 325776 TCP_MISS:ORIGINAL_DST bump I'm getting close...Amos if you're out there maybe you can shed some light on the above. Been at this for 5 hours now..happy Saturday! James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users