James Lay wrote on 06/10/2015 03:18 PM:
[CUT]
I'm going to spin this off into a new thread..."Filtering http and https
traffic" sometime later today. I have some questions, and maybe solutions.
Much appreciated and much looked forward to.. hoping I can get what I
had working with 3.4.12 - work
On Tue, 2015-06-09 at 21:39 +0200, Klavs Klavsen wrote:
> Amos Jeffries wrote on 2015-06-09 17:10:
> [CUT]
> > You have to first configure ssl_bump in a way that lets Squid receive
> > the clientHello message (step1 -> peek) AND the serverHello message
> > (step2 -> peek). Then you can use those c
Amos Jeffries wrote on 2015-06-09 17:10:
[CUT]
> You have to first configure ssl_bump in a way that lets Squid receive
> the clientHello message (step1 -> peek) AND the serverHello message
> (step2 -> peek). Then you can use those cert details to bump (step3 ->
> bump).
> The config is quite simple
On 10/06/2015 2:51 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/09/2015 03:06 PM:
>>
>> The HTTP message log (access.log) is only logging the HTTP(S) messages.
>> The non-HTTP protools are not logged.
>>
>>>
>>> 10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
>>> 64.233.184.94:443
Amos Jeffries wrote on 06/09/2015 03:06 PM:
The HTTP message log (access.log) is only logging the HTTP(S) messages.
The non-HTTP protools are not logged.
10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
TCP_TUNNEL:ORIGINAL_DST peek
On 9/06/2015 6:44 p.m., Klavs Klavsen wrote:
> Hi,
>
> James Lay just replied to me with his current config.. (pretty much like
> what he posted), and it seems he does not even try to use http_access
> rules to filter on urls from https requests..
>
> @Amos: are you certain that there's not an er
Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in how http_access
rules are applied to bumped con
On 5/06/2015 2:50 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/04/2015 04:19 PM:
>> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> after moving it here:
>>>
>>> http_access allow okweb-urls testsrv1
>>> http_access allow CONNECT bumpedPorts
>>> http_access deny all
>>>
>>> it still allo
On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
> I would be perfectly fine with allowing the SSL bumping to finish for
> ALL https sites - and then only block when the http request comes..
>
> I'm hoping someone can tell me what I've done wrong in my config.. I'm
> obviously not understanding how it
I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..
I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it works when https is envolved.. it
works as intended wi
Amos Jeffries wrote on 06/04/2015 04:19 PM:
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Sigh. Sorry I must be half aslep right now.
Your rules
On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
> after moving it here:
>
> http_access allow okweb-urls testsrv1
> http_access allow CONNECT bumpedPorts
> http_access deny all
>
> it still allows everything..
Sigh. Sorry I must be half aslep right now.
Your rules say:
allow ...
allow ...
a
after moving it here:
http_access allow okweb-urls testsrv1
http_access allow CONNECT bumpedPorts
http_access deny all
it still allows everything..
Amos Jeffries wrote on 06/04/2015 03:42 PM:
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
Hi,
I added the bumpedports - and now traffic works and
On 5/06/2015 1:20 a.m., Klavs Klavsen wrote:
> Hi,
>
> I added the bumpedports - and now traffic works and is allowed.. but it
> allows everything on https.. :(
>
> Log says:
> 10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CONNECT 72.51.34.34:443
> HTTP/1.1" lwn.net - 200 28189 TCP_TUNNEL:ORIGIN
I tried this:
http_access allow CONNECT testurls testsrv1
But that doesn't work.
Klavs Klavsen wrote on 06/04/2015 03:20 PM:
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CON
Hi,
I added the bumpedports - and now traffic works and is allowed.. but it
allows everything on https.. :(
Log says:
10.xx.130.50 - - [04/Jun/2015:15:16:07 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28189 TCP_TUNNEL:ORIGINAL_DST peek
so it doesn't seem to check the http_access
oops.. forget it.. I missed I had two access logs.. the format from
James Lay - works perfectly.. sorry :)
Klavs Klavsen wrote on 06/04/2015 03:06 PM:
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877 CON
One thing.. now when access a site.. f.ex. https://www.dr.dk
the access log says:
1433423013.540196 10.47.171.244 TCP_TUNNEL/200 187877 CONNECT
159.20.6.6:443 - ORIGINAL_DST/159.20.6.6 -
instead of logging the url that was accessed..
How can I make it log the url as it did in 3.4.12?
A
Amos Jeffries wrote on 06/04/2015 01:24 PM:
acl bumpedPorts myportname 3129
acl bumpedPorts myportname 3130
http_access allow CONNECT bumpedPorts
Adding that worked.. I did not have any of that ssl_stuff in my 3.4
config (and it worked without).
Thank you very much.
--
Regards,
Klavs
On 4/06/2015 7:55 p.m., Klavs Klavsen wrote:
> Hi Amos,
>
> I tried taking the config from James.. but I have the exact same issue
> as described below :(
>
> After adding the extra logging from James config - I get this in
> access_log:
> 1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONN
Hi Amos,
I tried taking the config from James.. but I have the exact same issue
as described below :(
After adding the extra logging from James config - I get this in access_log:
1433404085.331 0 10.47.171.244 TCP_DENIED/200 0 CONNECT
216.58.209.106:443 - HIER_NONE/- -
which makes it s
On 3/06/2015 2:46 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/02/2015 04:10 PM:
>> On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> Thank you Amos.
>>>
>>> I'll build 3.5.5 then..
>>>
>>> any config changes I need to be aware of?
>>
>> --with-openssl instead of --enable-ssl is the only o
Amos Jeffries wrote on 06/02/2015 04:10 PM:
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 ha
On 3/06/2015 1:45 a.m., Klavs Klavsen wrote:
> Thank you Amos.
>
> I'll build 3.5.5 then..
>
> any config changes I need to be aware of?
--with-openssl instead of --enable-ssl is the only one that comes to
mind right now. The release notes for 3.4 and 3.5 have the lists.
Amos
>
> Amos Jeffrie
Thank you Amos.
I'll build 3.5.5 then..
any config changes I need to be aware of?
Amos Jeffries wrote on 06/02/2015 03:38 PM:
On 2/06/2015 8:33 p.m., Klavs Klavsen wrote:
I've got squid 3.4.12 on centos 7, running with ssl bumping.
options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/
On 2/06/2015 8:33 p.m., Klavs Klavsen wrote:
> I've got squid 3.4.12 on centos 7, running with ssl bumping.
> options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/ -M 4MB -b 4096
>
> After a while ssl stops working.
This would be one (or two) of the bugs fixed in the 3.4.13 release.
NOTE:
I've got squid 3.4.12 on centos 7, running with ssl bumping.
options for ssl_crtd in squid.conf: -s /etc/ssl/certs/cache/ -M 4MB -b 4096
After a while ssl stops working.
How can I make squid or ssl_crtd actually log errors?
Any hints as to what I can investigate to figure out what is happening h
27 matches
Mail list logo
