James Lay wrote on 06/10/2015 03:18 PM:
[CUT]
I'm going to spin this off into a new thread...Filtering http and https
traffic sometime later today. I have some questions, and maybe solutions.
Much appreciated and much looked forward to.. hoping I can get what I
had working with 3.4.12 -
On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote:
Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
You have to first configure ssl_bump in a way that lets Squid receive
the clientHello message (step1 - peek) AND the serverHello message
(step2 - peek). Then you can use those cert
Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in how http_access
rules are applied to bumped
On 10/06/2015 2:51 a.m., Klavs Klavsen wrote:
Amos Jeffries wrote on 06/09/2015 03:06 PM:
The HTTP message log (access.log) is only logging the HTTP(S) messages.
The non-HTTP protools are not logged.
10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] CONNECT
64.233.184.94:443 HTTP/1.1
Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
You have to first configure ssl_bump in a way that lets Squid receive
the clientHello message (step1 - peek) AND the serverHello message
(step2 - peek). Then you can use those cert details to bump (step3 -
bump).
The config is quite simple:
On 9/06/2015 6:44 p.m., Klavs Klavsen wrote:
Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in
On 5/06/2015 2:50 a.m., Klavs Klavsen wrote:
Amos Jeffries wrote on 06/04/2015 04:19 PM:
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Sigh.
On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..
I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it
I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..
I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it works when https is envolved.. it
works as intended
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Sigh. Sorry I must be half aslep right now.
Your rules say:
allow ...
allow ...
allow
Hi Amos,
I tried taking the config from James.. but I have the exact same issue
as described below :(
After adding the extra logging from James config - I get this in access_log:
1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONNECT
216.58.209.106:443 - HIER_NONE/- -
which makes it
On 4/06/2015 7:55 p.m., Klavs Klavsen wrote:
Hi Amos,
I tried taking the config from James.. but I have the exact same issue
as described below :(
After adding the extra logging from James config - I get this in
access_log:
1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONNECT
oops.. forget it.. I missed I had two access logs.. the format from
James Lay - works perfectly.. sorry :)
Klavs Klavsen wrote on 06/04/2015 03:06 PM:
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877
Amos Jeffries wrote on 06/04/2015 01:24 PM:
acl bumpedPorts myportname 3129
acl bumpedPorts myportname 3130
http_access allow CONNECT bumpedPorts
Adding that worked.. I did not have any of that ssl_stuff in my 3.4
config (and it worked without).
Thank you very much.
--
Regards,
Klavs
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877 CONNECT
159.20.6.6:443 - ORIGINAL_DST/159.20.6.6 -
instead of logging the url that was accessed..
How can I make it log the url as it did in 3.4.12?
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] CONNECT 72.51.34.34:443
HTTP/1.1 lwn.net - 200 28189 TCP_TUNNEL:ORIGINAL_DST peek
so it doesn't seem to check the http_access
I tried this:
http_access allow CONNECT testurls testsrv1
But that doesn't work.
Klavs Klavsen wrote on 06/04/2015 03:20 PM:
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200]
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] CONNECT 72.51.34.34:443
HTTP/1.1 lwn.net - 200 28189 TCP_TUNNEL:ORIGINAL_DST
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Amos Jeffries wrote on 06/04/2015 03:42 PM:
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
Hi,
I added the bumpedports - and now traffic works
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 have the lists.
Amos
Amos Jeffries
Amos Jeffries wrote on 06/02/2015 04:10 PM:
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5
On 3/06/2015 2:46 a.m., Klavs Klavsen wrote:
Amos Jeffries wrote on 06/02/2015 04:10 PM:
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
22 matches
Mail list logo
