Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

Tue, 30 Dec 2014 12:10:37 -0800 

Glad that it worked.
May be useful to dump here your squid.conf to better understand how to 
configure squid to transparently work with wccp traffic coming from your Cisco 
router?
Raf

From: Yuri Voinov [mailto:yvoi...@gmail.com]
Sent: Tuesday, December 30, 2014 8:48 PM
To: Rafael Akchurin; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not 
connect


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Already found this lonely right post ;) I have Google-Fu too :) And it longer 
than you :)

Anyway,

all of these issues solved.

I have snoop (not Windoze wireshark - all great things makes in console, ya!) 
and take a look on single client traffic during bumping.

As I haven't iptables (no penguins, please!), but I have Cisco 2911, I pass 
some Windows Update, Symantec Update (which is not work too) bypassing Squid.

Cisco is greatest. All others are probably suxx :)

The complete solution looks like:

access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny   ip host 192.168.200.3 any
access-list 121 remark WU bypass
access-list 121 deny tcp any 191.232.0.0 0.7.255.255
access-list 121 deny tcp any 65.52.0.0 0.3.255.255
access-list 121 remark Symantec bypass
access-list 121 deny tcp any host 195.215.221.99
access-list 121 deny tcp any host 195.215.221.104
access-list 121 deny tcp any host 213.248.114.172
access-list 121 deny tcp any host 213.248.114.173
access-list 121 deny tcp any host 213.248.114.174
access-list 121 deny tcp any host 213.248.114.175
access-list 121 deny tcp any host 77.67.22.168
access-list 121 deny tcp any host 77.67.22.171
access-list 121 deny tcp any host 77.67.22.173
access-list 121 deny tcp any host 213.248.114.171
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny   ip any any

So, all others issue solves similar.

Want to do something good - do it yourself!

That's the way. :)

30.12.2014 23:39, Rafael Akchurin пишет:
>

      > Hello Yuri,

      >

      >

      >

      > Luckily the same topic was just discussed on our forum –
      please see if this can help
https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ

      >

      >

      >

      > It describes the iptables settings for successful SSL bump
      exclusions for Dropbox clients / Google Drive / iTunes (bypassing
      SSL Bump because of SSL Pinning).

      >

      >

      >

      > Best regards,

      >

      > Raf

      >

      >

      >

      > *From:*squid-users
      [mailto:squid-users-boun...@lists.squid-cache.org] *On Behalf Of
     *Rafael Akchurin

      > *Sent:* Tuesday, December 30, 2014 4:23 PM

      > *To:* Yuri Voinov; 
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>

      > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
      application could not connect

      >

      >

      >

      > ​Only exclusion from SSL Bump as far as I know.

      >

      >

      >

      > raf

      >

      > -------------------------

      >

      > *From:*Yuri Voinov <yvoi...@gmail.com<mailto:yvoi...@gmail.com>
      <mailto:yvoi...@gmail.com><mailto:yvoi...@gmail.com>>

      > *Sent:* Tuesday, December 30, 2014 3:19 PM

      > *To:* Rafael Akchurin; 
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
      
<mailto:squid-users@lists.squid-cache.org><mailto:squid-users@lists.squid-cache.org>

      > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
      application could not connect

      >

      >

      >

      >

      > May be.

      >

      > Does workaround exists?

      >

      > 30.12.2014 20:09, Rafael Akchurin ?????:

      > > SSL Pinning? (I know Dropbox does this)

      >

      >

      >

      > > my two cents only :)

      >

      >

      >

      > > Raf

      >

      >

      >

      > > ________________________________________

      >

      > > From: squid-users
      
<mailto:squid-users-boun...@lists.squid-cache.org><mailto:squid-users-boun...@lists.squid-cache.org>

      >

      > 
<squid-users-boun...@lists.squid-cache.org><mailto:squid-users-boun...@lists.squid-cache.org>
      
<mailto:squid-users-boun...@lists.squid-cache.org><mailto:squid-users-boun...@lists.squid-cache.org>on
 behalf
      of Yuri Voinov <mailto:yvoi...@gmail.com><mailto:yvoi...@gmail.com>

      >

      > <yvoi...@gmail.com><mailto:yvoi...@gmail.com> 
<mailto:yvoi...@gmail.com><mailto:yvoi...@gmail.com>

      >

      > > Sent: Tuesday, December 30, 2014 2:12 PM

      >

      > > To: 
<mailto:squid-users@lists.squid-cache.org><mailto:squid-users@lists.squid-cache.org>

      >

      > 
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
      
<mailto:squid-users@lists.squid-cache.org><mailto:squid-users@lists.squid-cache.org>

      >

      > > Subject: [squid-users] Squid 3 SSL bump: Google drive
      application could not     connect

      >

      >

      >

      > > Hi gents,

      >

      >

      >

      > > I found strange issue.

      >

      >

      >

      > > Squid 3.4.10. Intercept. HTTPS bumping. All works fine.
      All configs correct.

      >

      >

      >

      > > Whenever all web https sites works perfectly -
      especially in Chrome,

      >

      > > most cloud clients works like charm (SpiderOak is!),
      Google Drive client

      >

      > > application (PC) could not work.

      >

      > > Note: Web Google Docs works. Web Google drive works.

      >

      >

      >

      > > Note: Google support info - even I if pass dozen Google
      URL's without

      >

      > > bump - cannot help. It doesn't work when server-first
      bumping is on and

      >

      > > works othervise.

      >

      >

      >

      > > So, the Serious Question is: Why? :)

      >

      >

      >

      > > Any idea?

      >

      >

      >

      >

      >

      >

      >

      >

      >

      > > _______________________________________________

      >

      > > squid-users mailing list

      >

      > > 
<mailto:squid-users@lists.squid-cache.org><mailto:squid-users@lists.squid-cache.org>

      >

      > 
squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
      
<mailto:squid-users@lists.squid-cache.org><mailto:squid-users@lists.squid-cache.org>

      >

      > >
      
<http://lists.squid-cache.org/listinfo/squid-users><http://lists.squid-cache.org/listinfo/squid-users>

      >

      > http://lists.squid-cache.org/listinfo/squid-users

      >

      >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUowFgAAoJENNXIZxhPexGHxkIAM2mb+OjhevZWpgdwiKHP2E0
D+8UM6/c7OZcJ2uSjIWN7DG0h+b86/ATul+9S+mZHl1DLBYpGUKW9J5I3iIQb+sr
5xR2ReFkuFeSpZASXex2yq5lfmACPdiUzI9iVhe7DPJqKJNiIzvHLq4ZRnjJN4Ih
0u0NGuPKfkkWFJ/SmXAceEdS7sT/lT0cVm1JgpurVzipelBUNbLQUd0yKrpbIz2x
ia7gwu3ZFi2aY2DvrfP7ntkoZpLl+SyDI/PkFIEaAr2+KaMcTbUXVQcVTZ7S6eLu
pgCNil0x8AFApWSIg+P68DcFcIS/nUIvNqXjuvr0ikqGwLEAqvueM6LPKifsdSg=
=J+Cs
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to