On Thu, 2015-06-25 at 08:06 -0400, Tom Mowbray wrote: > James, > > > > Thank for for your help. Now that I have a better understanding of > how the https traffic is handled, I've been able to get things working > as intended. > > > > > > --------------------------------- > > Tom Mowbray > > tmowb...@dalabs.com > 703-829-6694 > > > > On Wed, Jun 24, 2015 at 2:05 PM, James Lay <j...@slave-tothe-box.net> > wrote: > > On 2015-06-24 11:46 AM, Tom Mowbray wrote: > > James, > > Yes, as a matter of fact I have read through those > exact posts and > modeled my config very similarly. What I have found > is that, however, > when the line "http_access allow SSL_ports" is placed > above the > ssl_bump stuff and other acl's (as you have it), it > seems to simply > allow ALL https without doing any filtering > whatsoever. > > Thanks for the response. > > ---------------------------------Tom Mowbray > _tmowbray@dalabs.com_ > _703-829-6694_ > > > > On Wed, Jun 24, 2015 at 1:31 PM, James Lay > <j...@slave-tothe-box.net> > wrote: > > > On 2015-06-24 09:41 AM, Tom Mowbray wrote: > > > Squid 3.5.5 > > I seem to have some confusion about > how acl lists are processed > in > squid.conf regarding the handling of > SSL (HTTPS) traffic, > attempting > to use ssl_bump directives with > transparent proxy. > > Based on available documentation, I > believe my squid.conf is > correct, > however it never seems to actually > behave as expected. > > I define the SSL port, as usual: > > acl SSL_ports port 443 > > But here's where my confusion lies... > Many state to place the > following line above the ssl_bump > configuration lines: > > http_access allow SSL_ports > > However when I do this, it appears to > simply stop processing any > other > rules and allows ALL https traffic > through the proxy (which is > actually how I'd expect a standard ACL > list to operate, but then > how > do I actually filter the traffic > though our content-based ACL > lists?). > If I put the above line below the > ssl_bump configuration options > in > my squid.conf, then it appears to BUMP > all, even though I've told > the > config to SPLICE all https traffic, > which doesn't work for our > deployment. > > So, does squid actually continue to > process the https traffic > using > the ssl_bump rules if the "http_access > allow SSL_ports" line is > placed > above it in the configuration? > > I should note that we've been able to > get filtering to work > correctly > when using our configuration in > NON-transparent mode, however our > goal > is get this functionality working as a > transparent proxy. We're > unable to load our self-signed cert > onto client machines that > will be > accessing the proxy, so using the > "bump" or man-in-the-middle > style > https filtering isn't a viable option > for us. > > Any help or advice is appreciated! > > Thanks, > > Tom > > > Tom, > > You kinda have to change the way you think > about filtering when it > comes to Squid 3.5.5 and SSL(TLS). Normal http > traffic is > easy....here's where we're trying to go and > here's a list of place > we're alloed to go...simple. > > Not so with SSL(TLS). Squid can't filter, > since Squid may or may > not know where we're going...and that's the > issue..it's where those > ssl_bump atStep ACL's come in. Some sites when > you connect to them > are easy-ish..when you connect your device > sends a "Server Name > Information" (SNI) that says where you're > going. Other sites don't > have any information until you complete the > SSL handshake (how can > you filter a site name, until squid KNOWS the > site or at least > domain name?). > > If you're still wanting to go through with > transparent (intercept) > proxy with SSL, search through the list for my > SSL Deep dive > posts...that config is working for me so far > (granted, not in an > enterprise environment). However, as Amos > said,....if you choose > not to install the cert on the client > machines, you are either a) > going to be out of luck on LOT'S of websites > because they will fail > the SSL handshake, or b) teaching your users > to ignore the security > warnings of their browser's....neither of > which is a good thing. > > Hope that helps. > > James > > > > Tom, > > You are right...that absolutely will allow all SSL > initially...the filtering is down lower in the config here: > > With single list of regex sites/domains like \.google > \.com...peek, splice, no bump...I'm currently using this > config section. > > ############################################################################ > ssl_bump peek step1 all > ssl_bump peek step2 all > acl allowed_https_sites ssl::server_name_regex > "/opt/etc/squid/http_url.txt" > ssl_bump splice step3 allowed_https_sites > ssl_bump terminate all > > > With broken acl list of networks list 208.85.40.0/21 > > ########################################################################### > ssl_bump peek step1 broken > ssl_bump peek step2 broken > ssl_bump splice broken > ssl_bump peek step1 all > ssl_bump peek step2 all > acl allowed_https_sites ssl::server_name_regex > "/opt/etc/squid/http_url.txt" > ssl_bump bump allowed_https_sites > ssl_bump terminate all > > In both configs above, the SNI and server names are checked, > bounced off the http_url.txt list, and if the site/domain is > NOT in the list the ssl session is terminated. The big drag > is, you won't be able to see that in the squid logs. I have a > bug open ( I don't remember the number :( ) to show this in > the logs...so far in my setup I only see the first peek, > nothing after that. You can test the above setups with: > > openssl s_client -connect x.x.x.x:443 > > The above will test with no SNI...these look like the below in > the logs: > Jun 24 11:35:08 gateway (squid-1): 192.168.1.101 - - > [24/Jun/2015:11:35:08 -0600] "CONNECT 31.13.76.101:443 > HTTP/1.1" - - 200 0 TAG_NONE:ORIGINAL_DST peek > > wget -d --ca-certificate=<your.cert.file) > > The above WILL send an SNI...which you should see in your logs > as: > Jun 24 12:01:44 gateway (squid-1): 192.168.1.101 - - > [24/Jun/2015:12:01:44 -0600] "CONNECT 172.230.156.79:443 > HTTP/1.1" device-api.urbanairship.com - 200 0 > TAG_NONE:ORIGINAL_DST peek > > Hope that helps. > > James > > >
Excellent! James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
