Jason helped me a lot although I am still having trouble getting that helper working. It got to the point that only the website I didn't want bumped was getting bumped because I had my logic switched in the helper script to nothing getting bumped at all. Jason pointed out that I appear to be using transparent intercept proxy and that I shouldn't do that until I have everything worked out with the regular proxy since bumping is difficult to do with transparent proxy.
I have been using transparent proxy (intercept) with the https_port declaration with great success so far as seen here *http_port 192.168.100.1:800 <http://192.168.100.1:800> intercept* *https_port 192.168.100.1:808 <http://192.168.100.1:808> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem* For peek and splice should I not be using intercept? I will give your suggestions a try and get back to you. Also, I apologize for inadvertently not including our correspondence in the squid-users list. I was just clicking the reply button not realizing it wasn't a "reply all". I think I've got it figured out how to include the list in replies. Thanks Nathan. Stan On Wed, May 6, 2015 at 8:15 PM, Nathan Hoad <nat...@getoffmalawn.com> wrote: > Hi Stan, > > Yep, I think the server_name acl in 3.5.4 should provide what you want > without the need for an external acl now. I haven't used it as the > external acl fits my usecase. I imagine doing something like this > should work for server_name though... > > acl sni_exclusions ssl::server_name wellsfargo.com > acl tcp_level at_step SslBump1 > acl client_hello_peeked at_step SslBump2 > > ssl_bump peek tcp_level all > ssl_bump splice client_hello_peeked sni_exclusions > ssl_bump bump all > > Hopefully your other issue with your perl helper hanging has been > resolved by Jason's recommendation! Though if this does what you want, > you may not need the helper. > > Also, please try to keep messages to the mailing list - this is all > information that will help others :) > > Thanks, > > Nathan. > > On 5 May 2015 at 13:20, Stanford Prescott <stan.presc...@gmail.com> wrote: > > Hi Nathan. I have decided to try to go ahead and try to get peek and > splice > > working for Squid on the Smoothwall Express firewall distro since we will > > not be able to migrate to Squid 4.x when it debuts. You previously kindly > > offered an example of a squid.conf setup for me to try to get it working. > > > > external_acl_type sni ttl=30 concurrency=X children-max=Y > > children-startup=Z %ssl::>sni /path/to/your/helper > > > > acl sni_exclusions external sni > > acl tcp_level at_step SslBump1 > > acl client_hello_peeked at_step SslBump2 > > > > ssl_bump peek tcp_level all > > ssl_bump splice client_hello_peeked sni_exclusions > > ssl_bump bump all > > > > Amos says he has back ported a server_name acl with the 3.5.4 release. > Does > > this now mean that the "external_acl_type" is no longer needed for this > sort > > of function? Specifically, I want to be able to allow my users to enter > > websites that they do not want bumped, like banking websites. I wasn't > able > > to get the squid.conf and helper script example you provided to work for > me. > > > > Does the new server_name acl change how this can be done? Would you be > able > > to provide a new example for me to try based on this new acl in squid > 3.5.4? > > > > Any help is greatly appreciated. > > > > Stan > > > > > > On Sun, Apr 12, 2015 at 7:25 PM, Nathan Hoad <nat...@getoffmalawn.com> > > wrote: > >> > >> Hi Stan, > >> > >> For peek and splice, you need to decide based on the SNI name, not the > >> domain name, which for 3.5 means you need to use an external ACL > >> helper that processes %ssl::>sni. For 4.0 there will be a server_name > >> ACL you can use instead. > >> > >> On top of that, you also need to make sure this external ACL helper > >> runs at the correct "bump step", with the at_step ACL, e.g... > >> > >> external_acl_type sni ttl=30 concurrency=X children-max=Y > >> children-startup=Z %ssl::>sni /path/to/your/helper > >> > >> acl sni_exclusions external sni > >> acl tcp_level at_step SslBump1 > >> acl client_hello_peeked at_step SslBump2 > >> > >> ssl_bump peek tcp_level all > >> ssl_bump splice client_hello_peeked sni_exclusions > >> ssl_bump bump all > >> > >> Hope that helps, > >> > >> Nathan. > >> > >> On 13 April 2015 at 04:12, Stanford Prescott <stan.presc...@gmail.com> > >> wrote: > >> > I would like to give my users the ability to "not bump" certain > sites. I > >> > tried to use the examples given on the SSLPeekandSplice wiki page but > >> > can't > >> > get it to work. > >> > > >> > This is a snippet of my squid.conf file. > >> > > >> > https_port 192.168.10.1:808 intercept ssl-bump > >> > generate-host-certificates=on > >> > dynamic_cert_mem_cache_size=4MB > >> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > >> > > >> > http_port 192.168.20.1:800 intercept > >> > https_port 192.168.20.1:808 intercept ssl-bump > >> > generate-host-certificates=on > >> > dynamic_cert_mem_cache_size=4MB > >> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem > >> > > >> > http_port 127.0.0.1:800 intercept > >> > > >> > sslproxy_cert_error allow all > >> > sslproxy_flags DONT_VERIFY_PEER > >> > sslproxy_session_cache_size 4 MB > >> > > >> > acl serverIsBank dstdomain wellsfargo.com > >> > > >> > ssl_bump server-first all > >> > > >> > ssl_bump none localhostgreen > >> > ssl_bump none localhostpurple > >> > > >> > ssl_bump splice serverIsBank > >> > ssl_bump peek all > >> > ssl_bump bump all > >> > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s > >> > /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB > >> > sslcrtd_children 5 > >> > > >> > > >> > When I start squid I don't get any error messages and all pages, http > >> > and > >> > https, load properly. The problem is, using the example above, the > >> > https://www.wellsfargo.com website is still getting bumped, > evidenced by > >> > the > >> > appearance of the ssl website in the web proxy access logs. When I > don't > >> > have ssl_bump enabled then no https websites appear in the access > logs, > >> > as > >> > it should be. But, enabling ssl_bump and peek and splice, web sites > that > >> > I > >> > am trying not to bump still seem to be getting bumped. > >> > > >> > Any suggestions on how to properly "not bump" certain websites. > >> > > >> > Thanks, > >> > > >> > Stan > >> > > >> > _______________________________________________ > >> > squid-users mailing list > >> > squid-users@lists.squid-cache.org > >> > http://lists.squid-cache.org/listinfo/squid-users > >> > > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
