> acl s1_tls_connect at_step SslBump1 > acl s2_tls_client_hello at_step SslBump2 > acl s3_tls_server_hello at_step SslBump3 > > acl tls_server_name_is_ip ssl::server_name_regex \ > ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
You have a letter 'n' on the end there is that intentional? It would seem so. I copied that from someone else's "peek-splice" directives that they said worked well for them. The actual regex in the perl script that writes squid.conf is *"print FILE "acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";*." > acl google ssl::server_name .google.com > ssl_bump peek s1_tls_connect all > > acl nobumpSites ssl::server_name .wellsfargo.com > > ssl_bump splice s2_tls_client_hello nobumpSites > ssl_bump splice s2_tls_client_hello google > > ssl_bump stare s2_tls_client_hello all > > ssl_bump bump s3_tls_server_hello all > > cache_peer forcesafesearch.google.com parent 443 0 \ > ssl name=GS originserver \ > no-query no-netdb-exchange no-digest > > acl search dstdomain .google.com > cache_peer_access GS allow search > cache_peer_access GS deny all I think the fake-CONNECT Squid creates still has only raw-IP:port details. And with splicing you dont have the decrypt to setup dstdomain URL details. For dstdomain you need to match what shows up in access.log as the URI of these requests. Does the "google" ACL work in cache_peer_access to use the SNI? The "dstdomain .google.com" was taken directly from an example that was provided. When I try to access *google.com <http://google.com>* the error message says a "secure connection could not be established to *http://google.com <http://google.com>". *It seems the "redirect to https" isn't working using the acl *"acl google ssl::server_name .google.com <http://google.com>*" in "cache_peer_access". If I enter instead *https://google.com <https://google.com> *then I don't get that error but inappropriate Google images are still not blocked. When I look at the access.log, all I see are IP addresses for the domains for CONECTs like this *1441396051.210 62 10.3.3.100 TCP_MISS/503 3639 GET http://www.google.com/ <http://www.google.com/> - FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120> text/html1441396051.330 61 10.3.3.100 TCP_MISS/503 3640 GET http://www.google.com/favicon.ico <http://www.google.com/favicon.ico> - FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120> text/html1441396051.390 58 10.3.3.100 TCP_MISS/503 3672 GET http://www.google.com/favicon.ico <http://www.google.com/favicon.ico> - FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120> text/html1441396097.795 81 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 <http://74.125.227.191:443> - ORIGINAL_DST/74.125.227.191 <http://74.125.227.191> -1441396097.830 87 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.172:443 <http://74.125.227.172:443> - ORIGINAL_DST/74.125.227.172 <http://74.125.227.172> -1441396098.115 93 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 <http://74.125.227.175:443> - ORIGINAL_DST/74.125.227.175 <http://74.125.227.175> -1441396098.877 79 10.3.3.100 TCP_MISS/200 840 POST http://clients1.google.com/ocsp <http://clients1.google.com/ocsp> - ORIGINAL_DST/74.125.227.168 <http://74.125.227.168> application/ocsp-response1441396098.878 622 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.160:443 <http://74.125.227.160:443> - HIER_NONE/- -1441396098.878 621 10.3.3.100 TCP_TUNNEL/200 5123 CONNECT 74.125.227.160:443 <http://74.125.227.160:443> - ORIGINAL_DST/74.125.227.160 <http://74.125.227.160> -1441396099.078 92 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.217:443 <http://74.125.227.217:443> - ORIGINAL_DST/74.125.227.217 <http://74.125.227.217> -1441396099.189 106 10.3.3.100 TCP_MISS/200 809 GET https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt <https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt> - ORIGINAL_DST/74.125.227.217 <http://74.125.227.217> image/gif1441396112.635 99 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 <http://74.125.227.175:443> - ORIGINAL_DST/74.125.227.175 <http://74.125.227.175> -1441396114.575 85 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 <http://74.125.227.191:443> - ORIGINAL_DST/74.125.227.191 <http://74.125.227.191> -1441396123.684 92 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 <http://74.125.227.191:443> - ORIGINAL_DST/74.125.227.191 <http://74.125.227.191> -1441396124.205 87 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 <http://74.125.227.175:443> - ORIGINAL_DST/74.125.227.175 <http://74.125.227.175> -1441396127.192 84 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.205:443 <http://74.125.227.205:443> - ORIGINAL_DST/74.125.227.205 <http://74.125.227.205> -* I don't know how to tell if the SNI is being used in cache_peer_access other than as I mentioned above only IP addresses appear in access.log for the .google.com domain. The flag DONT_VERIFY_PEER tells Squid not to even bother checking any security on the outgoing server connection when going DIRECT (not to the cache_peer). Making the sslproxy_cert_error rules useless. You've mentioned this before. The problem is with my squid.conf if it doesn't have DONT_VERIFY_PEER ssl-bump does not work at all. Is there a better way to setup ssl-bump than what I have that doesn't use DONT_VERIFY_PEER? Here is my complete squid.conf. Hope it is helpful. *visible_hostname smoothwallu3# Uncomment the following to send debug info to /var/log/squid/cache.log#debug_options ALL,1 33,2 28,9# ACCESS CONTROLS# ----------------------------------------------------------------acl localhostgreen src 10.3.3.1acl localnetgreen src 10.3.3.0/24 <http://10.3.3.0/24>acl SSL_ports port 445 443 441 563acl Safe_ports port 80 # httpacl Safe_ports port 81 # smoothwall httpacl Safe_ports port 21 # ftp acl Safe_ports port 445 443 441 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT# TAG: http_access# ----------------------------------------------------------------http_access allow localhosthttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localnetgreenhttp_access allow CONNECT localnetgreenhttp_access allow localhostgreenhttp_access allow CONNECT localhostgreen# http_port and https_port#----------------------------------------------------------------------------# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.#----------------------------------------------------------------------------http_port 3127http_port 10.3.3.1:800 <http://10.3.3.1:800> intercepthttps_port 10.3.3.1:808 <http://10.3.3.1:808> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pemhttp_port 127.0.0.1:800 <http://127.0.0.1:800> interceptsslproxy_session_cache_size 4 MBssl_bump none localhostgreenacl s1_tls_connect at_step SslBump1acl s2_tls_client_hello at_step SslBump2acl s3_tls_server_hello at_step SslBump3acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+nacl google ssl::server_name .google.com <http://google.com>ssl_bump peek s1_tls_connect allssl_bump splice s2_tls_client_hello googlessl_bump stare s2_tls_client_hello allssl_bump bump s3_tls_server_hello allcache_peer forcesafesearch.google.com <http://forcesafesearch.google.com> parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digestacl search dstdomain .google.com/imghp <http://google.com/imghp>cache_peer_access GS allow searchcache_peer_access GS deny allsslproxy_cert_error allow tls_server_name_is_ipsslproxy_cert_error deny allsslproxy_flags DONT_VERIFY_PEERsslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MBsslcrtd_children 5http_access deny allcache_replacement_policy heap GDSFmemory_replacement_policy heap GDSF# CACHE OPTIONS# ----------------------------------------------------------------------------cache_effective_user squidcache_effective_group squidcache_swap_high 100cache_swap_low 80cache_access_log stdio:/var/log/squid/access.logcache_log /var/log/squid/cache.logcache_mem 64 MBcache_dir diskd /var/spool/squid/cache 1024 16 256maximum_object_size 33 MBminimum_object_size 0 KBrequest_body_max_size 0 KB# OTHER OPTIONS# ----------------------------------------------------------------------------#via offforwarded_for offpid_filename /var/run/squid.pidshutdown_lifetime 10 seconds#icp_port 3130half_closed_clients offumask 022logfile_rotate 0strip_query_terms off* On Fri, Sep 4, 2015 at 2:09 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 5/09/2015 5:48 a.m., Stanford Prescott wrote: > > I have tried to enable safe searching with Squid 3.5.7 using ssl-bump > > splice but when I enable it, browsing to https://google.com generates a > > Squid error page saying there is no valid certificate. Browsing to all > > other https sites loads the pages correctly and all other SSL-bump sites > > get bumped and displayed correctly. > > > > Has anyone had any luck getting this to work? Here is the relevant > > squid.conf entries > > > > Please use 3.5.8. The ssl_bump behaviour got some more important fixes > recently. > > > > > > acl s1_tls_connect at_step SslBump1 > > acl s2_tls_client_hello at_step SslBump2 > > acl s3_tls_server_hello at_step SslBump3 > > > > acl tls_server_name_is_ip ssl::server_name_regex \ > > ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n > > You have a letter 'n' on the end there is that intentional? > > > > > acl google ssl::server_name .google.com > > ssl_bump peek s1_tls_connect all > > > > acl nobumpSites ssl::server_name .wellsfargo.com > > > > ssl_bump splice s2_tls_client_hello nobumpSites > > ssl_bump splice s2_tls_client_hello google > > > > ssl_bump stare s2_tls_client_hello all > > > > ssl_bump bump s3_tls_server_hello all > > > > cache_peer forcesafesearch.google.com parent 443 0 \ > > ssl name=GS originserver \ > > no-query no-netdb-exchange no-digest > > > > acl search dstdomain .google.com > > cache_peer_access GS allow search > > cache_peer_access GS deny all > > I think the fake-CONNECT Squid creates still has only raw-IP:port > details. And with splicing you dont have the decrypt to setup dstdomain > URL details. > > For dstdomain you need to match what shows up in access.log as the URI > of these requests. > > Does the "google" ACL work in cache_peer_access to use the SNI? > > > > > > sslproxy_cert_error allow tls_server_name_is_ip > > > > sslproxy_cert_error deny all > > sslproxy_flags DONT_VERIFY_PEER > > > > The flag DONT_VERIFY_PEER tells Squid not to even bother checking any > security on the outgoing server connection when going DIRECT (not to the > cache_peer). Making the sslproxy_cert_error rules useless. > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
