Hi Alex, okay, I think I understand a little more.
I am trying to get the old server-first method working with new peek and splice but without success. I have built a RPM package with latest 3.5.11 source based on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm Squid is configured with SSL bump similar to the configuration suggested by Sebastian. In my view it's a good idea to give a detailed description of my setup with real IPs and hostnames: 1. Client machine OS: CentOS 6.6 x86_64 IP: 10.0.0.2/24 (internal network) Default Gateway: 10.0.0.1 (= Squid machine) 2. Squid machine OS: CentOS 6.6 x86_64 IP 1: 10.0.0.1/24 (internal network) IP 2: 172.31.1.15/24 (outgoing interface, behind a router) # iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:3129 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:3443 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination # squid -v Squid Cache: Version 3.5.11 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience # Squid configruation file # Rules allowing access from your local networks acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # SSL Bump acl step1 at_step SslBump1 acl MYSITE ssl::server_name school.bettermarks.com ssl_bump peek step1 ssl_bump bump MYSITE ssl_bump splice all # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Only allow purge from localhast (squidclient -m PURGE <object-url> acl Purge method PURGE http_access allow localhost Purge http_access deny Purge # Allow access from your local networks http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 10.0.0.1:3129 intercept https_port 10.0.0.1:3443 intercept ssl-bump cert=/etc/squid/certs/bettermarks.com-chain.crt key=/etc/squid/certs/bettermarks.com-unsecure.key ## Memory only caching # Cache memory size (default: 256 MB) cache_mem 512 MB # Max object size in memory (default: 512 KB) maximum_object_size_in_memory 2 MB # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid ## Refresh patterns # BM static refresh_pattern -i ^https:\/\/(school|cdn)\.bettermarks\.com\/static\/.*? 1440 100% 1440 # BM dynamic refresh_pattern -i ^https:\/\/school\.bettermarks\.com\/.*? 0 0% 0 # default refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Cache log debug_options ALL,1 33,5 83,5 89,5 My first goal is to replace the old working server-first bumping method: # SSL Bump acl MYSITE dst 212.45.105.89 ssl_bump server-first MYSITE ssl_bump none all with the new peek and splice method: # SSL Bump acl step1 at_step SslBump1 acl MYSITE ssl::server_name school.bettermarks.com ssl_bump peek step1 ssl_bump bump MYSITE ssl_bump splice all The hostname school.bettermarks.com has the dedicated IP address 212.45.105.89 and points to a F5 loadbalancer that terminates SSL for *.bettermarks.com using the same certificate as Squid. I have called the following command on the client machine: # curl -v https://school.bettermarks.com/<https://school.bettermarks.com/static/flexclient4/bm_exerciseseries.swf><path-to-file> -o /dev/null * About to connect() to school.bettermarks.com port 443 (#0) * Trying 212.45.105.89... connected * Connected to school.bettermarks.com (212.45.105.89) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none The command have failed after a while with: * NSS error -5938 * Closing connection #0 * SSL connect error Squid's access.log: 1447179870.180 172 10.0.0.2 TAG_NONE/200 0 CONNECT 212.45.105.89:443 - ORIGINAL_DST/212.45.105.89 - More information follows in my next post (to not exceed the maximum post size). Stefan Am Dienstag, den 10.11.2015, 08:49 -0700 schrieb Alex Rousskov: On 11/10/2015 07:05 AM, Stefan Kutzke wrote: My assumption is that I have to use in Squid's config: acl MYSITE ssl:server_name .mydomain.com ssl_bump bump MYSITE ssl_bump splice all This results in tunneling all https traffic, nothing will be bumped and cached. Yes, probably because MYSITE (ssl::server_name) often needs SNI and SNI is not available during step1 when MYSITE is evaluated in your config. In other words, your config is equivalent to ssl_bump splice all unless reverse DNS works perfectly well. I'm a little bit confused about the documentation: Under the headline "Processing steps": *Step 2:* 1. Get TLS clientHello info, including *SNI* where available. Under the headline "Actions": peek/stare Receive client *SNI (step1)*, ... I know it is confusing, but I cannot find a better way to explain this in brief documentation without pictures. Improvements are welcomed. The key here is that ssl_bump rules are evaluated at the end of a step and usually allow Squid to do something at the beginning of the next step. For example, during step1, Squid does not have SNI. If a peek rule matches during step1, then Squid proceeds to step2. At the beginning of step2, Squid gets SNI. Thus, a step1 peek rule controls whether Squid will get SNI (during step2). Is it possible to achieve my goal with Squid in transparent mode? I should be possible, but I do not know whether anybody has done exactly that so there could be some minor bugs along the way. You need configuration suggested by Sebastian and the latest Squid you can build. HTH, Alex.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
