Thank you for that. I do already have a method set up via my squid proxy UI to allow clients to bypass the squid proxy via iptables rules if they need to.
On Wed, Jun 29, 2016 at 2:57 AM, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > Hey, > > > > I have seen that you are using squid in intercept mode either on Linux or > some BSD. > > If there is a site\server that you don't want to enter squid at all you > will need to bypass it in the FW\IPTABLES level. > > In linux you would be able to use some ipset list that will be bypassed > from being intercepted. > > If you are interested reply and I will try to give you an example how to > use it. > > > > Eliezer > > > > ---- > > Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > > *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On > Behalf Of *Stanford Prescott > *Sent:* Wednesday, June 29, 2016 2:56 AM > *To:* Amos Jeffries > *Cc:* squid-users > *Subject:* Re: [squid-users] Squid 3.5.19 how to find banking server name > for no bump > > > > I forgot to mention, I am using squid 3.5.19 > > > > On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott < > stan.presc...@gmail.com> wrote: > > When I enter .wellsfargo.com in > > > > *acl tls_s1_connect at_step SslBump1* > > *acl tls_s2_client_hello at_step SslBump2* > > *acl tls_s3_server_hello at_step SslBump3* > > > > *acl tls_server_name_is_ip ssl::server_name_regex > ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n* > > *acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>* > > *acl tls_server_is_bank ssl::server_name .wellsfargo.com > <http://wellsfargo.com>* > > *acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank* > > > > *ssl_bump peek tls_s1_connect all* > > *ssl_bump splice tls_s2_client_hello tls_to_splice* > > *ssl_bump stare tls_s2_client_hello all* > > *ssl_bump bump tls_s3_server_hello all* > > > > it appears that the banking site is still getting bumped i.e.like in this > access.log snippet > > > > *1467156887.817 257 10.40.40.100 TAG_NONE/200 0 CONNECT > 54.149.224.177:443 <http://54.149.224.177:443> - > ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -* > > *1467156888.008 94 10.40.40.100 TCP_MISS/200 213 POST > https://tiles.services.mozilla.com/v2/links/view > <https://tiles.services.mozilla.com/v2/links/view> - > ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json* > > *1467156893.774 75 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156893.847 117 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156893.875 120 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.221.75:443 <http://172.230.221.75:443> - > ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -* > > *1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.221.75:443 <http://172.230.221.75:443> - > ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -* > > *1467156893.875 117 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.221.75:443 <http://172.230.221.75:443> - > ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -* > > *1467156893.875 112 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156893.875 111 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156894.109 306 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156894.109 307 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156894.109 308 10.40.40.100 TAG_NONE/200 0 CONNECT > 172.230.102.185:443 <http://172.230.102.185:443> - > ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -* > > *1467156895.488 72 10.40.40.100 TAG_NONE/200 0 CONNECT > 216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98 > <http://216.58.194.98> -* > > *1467156895.513 98 10.40.40.100 TAG_NONE/200 0 CONNECT > 216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70 > <http://216.58.194.70> -* > > *1467156895.648 66 10.40.40.100 TCP_MISS/302 739 GET > https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid= > <https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=> > - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif* > > *1467156895.664 82 10.40.40.100 TCP_MISS/200 649 GET > https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808 > <https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808>? > - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif* > > *1467156895.920 250 10.40.40.100 TAG_NONE/200 0 CONNECT > 24.155.92.60:443 <http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60 > <http://24.155.92.60> -* > > *1467156896.061 79 10.40.40.100 TCP_MISS/200 503 GET > https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630 > <https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630> > - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif* > > *1467156899.837 5727 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -* > > *1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT > connect.secure.wellsfargo.com:443 > <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 > <http://159.45.66.156> -* > > *1467156899.837 5679 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -* > > *1467156899.837 5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT > connect.secure.wellsfargo.com:443 > <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 > <http://159.45.66.156> -* > > *1467156899.838 5680 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -* > > *1467156899.838 5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT > connect.secure.wellsfargo.com:443 > <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156 > <http://159.45.66.156> -* > > *1467156900.836 5421 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -* > > *1467156900.836 5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT > www.wellsfargo.com:443 <http://www.wellsfargo.com:443> - > ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -* > > *1467156900.837 5423 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.2.142:443 <http://159.45.2.142:443> - HIER_NONE/- -* > > *1467156900.837 5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT > static.wellsfargo.com:443 <http://static.wellsfargo.com:443> - > ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -* > > *1467156900.838 5423 10.40.40.100 TAG_NONE/200 0 CONNECT > 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -* > > *1467156900.838 5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT > www.wellsfargo.com:443 <http://www.wellsfargo.com:443> - > ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -* > > > > If I disable sslbumping then the bank site does not get bumped, of course. > > > > 1467157349.321 230 10.40.40.100 TCP_MISS/301 243 GET > http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 - > > > > Here is my squid.conf with bumping enabled. > > > > visible_hostname smoothwall > > > > # Uncomment the following to send debug info to /var/log/squid/cache.log > > #debug_options ALL,1 33,2 28,9 > > > > # ACCESS CONTROLS > > # ---------------------------------------------------------------- > > acl localhostgreen src 10.40.40.1 > > acl localnetgreen src 10.40.40.0/24 > > acl SWE_subnets src > "/var/smoothwall/mods/proxy/acls/src_subnets.acl" > > > > acl SSL_ports port 445 443 441 563 > > acl Safe_ports port 80 # http > > acl Safe_ports port 81 # smoothwall http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 445 443 441 563 # https, snews > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > > > acl CONNECT method CONNECT > > > > # TAG: http_access > > # ---------------------------------------------------------------- > > > > http_access allow SWE_subnets > > > > > > http_access allow localhost > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access allow localnetgreen > > http_access allow CONNECT localnetgreen > > > > http_access allow localhostgreen > > http_access allow CONNECT localhostgreen > > > > # http_port and https_port > > > #---------------------------------------------------------------------------- > > > > # For forward-proxy port. Squid uses this port to serve error pages, ftp > icons and communication with other proxies. > > > #---------------------------------------------------------------------------- > > http_port 3127 > > > > http_port 10.40.40.1:800 intercept > > https_port 10.40.40.1:808 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression > dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem > > > > > > http_port 127.0.0.1:800 intercept > > > > sslproxy_session_cache_size 4 MB > > > > ssl_bump none localhostgreen > > > > sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression > > sslproxy_cipher > ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL > > > > acl tls_s1_connect at_step SslBump1 > > acl tls_s2_client_hello at_step SslBump2 > > acl tls_s3_server_hello at_step SslBump3 > > > > acl tls_allowed_hsts ssl::server_name .akamaihd.net > > acl tls_server_is_bank ssl::server_name .wellsfargo.com > > acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank > > > > ssl_bump peek tls_s1_connect all > > ssl_bump splice tls_s2_client_hello tls_to_splice > > ssl_bump stare tls_s2_client_hello all > > ssl_bump bump tls_s3_server_hello all > > > > sslproxy_cert_error deny all > > sslproxy_flags DONT_VERIFY_PEER > > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s > /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB > > sslcrtd_children 5 > > > > http_access deny all > > > > cache_replacement_policy heap GDSF > > memory_replacement_policy heap GDSF > > > > # CACHE OPTIONS > > # > ---------------------------------------------------------------------------- > > cache_effective_user squid > > cache_effective_group squid > > > > cache_swap_high 100 > > cache_swap_low 80 > > > > cache_access_log stdio:/var/log/squid/access.log > > cache_log /var/log/squid/cache.log > > cache_mem 64 MB > > > > cache_dir aufs /var/spool/squid/cache 1024 16 256 > > > > maximum_object_size 33 MB > > > > minimum_object_size 0 KB > > > > > > request_body_max_size 0 KB > > > > # OTHER OPTIONS > > # > ---------------------------------------------------------------------------- > > #via off > > forwarded_for off > > > > pid_filename /var/run/squid.pid > > > > shutdown_lifetime 10 seconds > > #icp_port 3130 > > > > half_closed_clients off > > > > umask 022 > > > > logfile_rotate 0 > > > > strip_query_terms off > > > > > > > > > > > > On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > > On 29/06/2016 2:02 a.m., Stanford Prescott wrote: > > I have the proper peek and splice and bump configuration of acls setup in > > my squid.conf file for no-bump of some web sites. I need help how to > enter > > the banking hosts and or server names in a way that the peek and splice > > configuration will determine it is a banking site that I don't want > bumped. > > > > For example, if a user enters www.wellsfargo.com for online banking my > > current config still bumps wellsfargo.com. What would I need to enter > for > > wellsfargo.com so that banking server will not be bumped? > > > > Depends on what you mean by "enter". > > Are you asking for the ACL value? > .wellfargo.com > > Are you asking for the ACL definition? > acl banks ssl::server_name .wellsfargo.com > > Or are you asking for a whole SSL-Bump configuration example? > <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
