Seems to me you are overthinking this. What you're up against is blocked
outbound ports. Simply run openvpn at your home over one of the allowed
outbound ports eg 80 443 or possibly 3128/8080 according to your
environment and call it a day. You won't need proxy authentication or
haproxy etc..
On W
here is a python helper I wrote with help of previous posts. It takes
sni info from squid and returns OK if the domain is in
/etc/squid/domains_nobump.acl (I am not a coder..) Problem is it works
good for intercepted browser traffic but doesn't work when a user
tries to use an app on an eg android
Yuri- Why can't he just block the dstdomain?
---
Daniel I Greenwald
On Thu, Feb 5, 2015 at 7:32 AM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> No way.
>
> Only before Squid - using Cisco or something like.
>
> Either Cisco acl's, or NBAR protocol discov
wrote:
> >> On 04/02/15 18:47, Daniel Greenwald wrote:
> >>> And happens to be one that squid desperately needs to remain in order
> >>> to continue ssl bumping..
> >> ...and is one that diminishes in value as cert pinning becomes more
> >> popular.
Amos Wrote:
The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients.
And happens to be one that squid desperately needs to remain in order to
continue ssl bumping..
---
Daniel I Greenwald
O
I have a windows server running old 2.7 for simple reason that mswin
negotiate auth works totally flawless for seamless AD authentication on ALL
browsers . Vs with samba/heimdal on *nix server users would randomly get
annoying logon popups which I could not eliminate. It may be old but it
just wo
hmm acc to how I read this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
The following *should* work, however in my test it bumps all and does not
splice.
Yuri- I believe, the domain name should be available at step2 after peeking
in step1.
Someone correct me?
acl domains_nobump dst
Thank you Amos, I have updated to bump. Working well just the same..
Even chrome doesn't complain for google properties. Very nice.
---
Daniel I Greenwald
On Mon, Jan 26, 2015 at 12:35 PM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> It's mistype. :)
>
>
gt; Hmmmmmm?
>
> 26.01.2015 19:37, Daniel Greenwald пишет:
> > See below. Nothing else too interesting. Those four lines were the key.
> >
> > http_port 3128
> > http_port 3180 intercept
> > https_port 3443 intercept ssl-bump generate-host-certificates=on
> d
gt; present?
>
>
> Best regards,
>
> Rafael
>
>
> ------
> *From:* squid-users on behalf
> of Daniel Greenwald
> *Sent:* Monday, January 26, 2015 5:39 AM
> *To:* Yuri Voinov
> *Cc:* squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Why 3.5.0.4 gener
else then this thread is the place:
> CentOS 7 packages are in the Testing phase and will might not be stable
> enough for production.
> If you may look at the RPMs my packaging of squid is a bit different then
> the mainstream.
> One of the main differences is that the "squid&qu
Thank you Amos,
Based on your explanation I was able to make bumping work for transparent
with no browser errors in 3.5.1 by using the following. If I understand
correctly, this is actually whats required to mimic the behavior of pre 3.5
(sslbump server-first all) :
acl step1 at_step SslBump1
acl
Eliezer- I have installed the squid 3.5 on centos 7 from your repo, the
version is:
squid-3.5.0.4-1.el6.x86_64
Problem is I am not finding ssl_crtd:
find -name ssl_crtd
returns nothing.
But squid -v
does show --enable-ssl-crtd
Should I just build from source or am I missing something?
Thanks!
13 matches
Mail list logo
