Thanks again Yuri. I have tried blocking udp protocol on port 80 and 443 but without luck.
Is it possible to make google sites work in transparent mode without bumping ? only splicing ? Thanks 2016-01-03 10:11 GMT-03:00 Alejandro Martinez <ajm.marti...@gmail.com>: > Sorry my corrector. > I want to say that i am going to check blocking quic proto. > > Sorry > El 03/01/2016 10:10, "Alejandro Martinez" <ajm.marti...@gmail.com> > escribió: > >> Yuri >> >> Thanks. >> >> I amor.gringaus to checkpoint blocking quic. >> >> I cant put ca cert into clients besarse I dont have access but I do not >> want to bump, Just allow almost everything and deny only a few sites. >> >> I Will tell you my result. >> El 03/01/2016 06:22, "Yuri Voinov" <yvoi...@gmail.com> escribió: >> >>> Sure, >>> >>> my config is quite different. >>> >>> Also - did you put cache CA cert into clients? And - did you block QUIC >>> in your infrastructure? As described here: >>> >>> http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol >>> ? >>> >>> 03.01.16 8:28, Alejandro Martinez пишет: >>> >>> Yuri >>> >>> Do you haber something diferent in your config? >>> >>> Thanks >>> El 02/01/2016 17:18, "Yuri Voinov" < <yvoi...@gmail.com> >>> yvoi...@gmail.com> escribió: >>> >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> Don't think so. >>>> >>>> Google's HTTPS's works for me without any alerts in Chrome :) With >>>> bump! ;) >>>> >>>> 03.01.16 2:12, Nir Krakowski пишет: >>>> > Its called certificate pinning: > >>>> https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > Nir. > > On >>>> Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez >>>> <ajm.marti...@gmail.com> <ajm.marti...@gmail.com> > wrote: > >> Hi >>>> all, >> >> I'm using squid 3.5.12. >> >> This is my relevant config: >> >> >>>> *http_port 881* >> *http_port 880 intercept* >> *https_port 843 intercept >>>> ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB >>>> cert=/usr/local/squid/etc/cert.pem key=* >> >>>> */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 >> >>>> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH* >>>> >> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * >> >>>> */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1 >> >>>> idle=1* >> >> *#### Denied Users* >> *acl equipos_denegados src >>>> "**/usr/local/squid/etc**/equipos_denegados"* >> *http_access deny >>>> equipos_denegados* >> *deny_info DENY equipos_denegados* >> >> *#### >>>> Allowed users* >> *acl equipos_permitidos src >>>> "/**usr/local/squid/etc**/equipos_permitidos"* >> *http_access allow >>>> equipos_permitidos* >> *####* >> >> *#### Denied Sites* >> *acl >>>> sitios_denegados dstdomain "**/usr/local/squid/etc* >> */sitiosdenegados"* >>>> >> *http_access deny sitios_denegados* >> *####* >> >> *#### Block HTTPS* >>>> >> *acl blockhttps ssl::server_name "/**usr/local/squid/etc* >> >>>> */sitiosdenegados"* >> *ssl_bump terminate blockhttps* >> *ssl_bump splice >>>> equipos_permitidos* >> *ssl_bump peek all* >> *ssl_bump splice all* >> >>>> *####* >> >> *sslproxy_cert_error allow all* >> *sslproxy_flags >>>> DONT_VERIFY_PEER* >> *sslproxy_options NO_SSLv3:NO_SSLv2* >> >> >> >>>> Basically I'm using squid to allow everything and deniy some users (hosts) >>>> >> and some sites (http and https). >> >> If I use IE or Firefox (Win/Lin), >>>> everything works great, if I access a >> site via HTTP the user see a >>>> message and if he access via HTTPS the >> conecction is terminated and >>>> there is an error on the browser. >> >> But, If I access any google site >>>> using chrome (windows / linux) the sites >> are getting bumped ( >>>> google.com, google.com.X youtube.com, etc) >> >> The browser complains >>>> with a "Your conecction is not private" and the >> certificate is my own >>>> certificate. >> >> I'm missing something ? >> >> I only what to splice >>>> everythng. >> >> Thanks >> >> >> >>>> _______________________________________________ >> squid-users mailing list >>>> >> squid-users@lists.squid-cache.org >> >>>> http://lists.squid-cache.org/listinfo/squid-users >> >> > > > > >>>> _______________________________________________ > squid-users mailing list >>>> > squid-users@lists.squid-cache.org > >>>> http://lists.squid-cache.org/listinfo/squid-users >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v2 >>>> >>>> iQEcBAEBCAAGBQJWiDCiAAoJENNXIZxhPexGoQgH/3tVYeLA0ymswptTFgXCafjD >>>> 4dVdYyeqUklxAD1Z9kdTAwebKr8gCum+pSJJti474hjNpgQQlHsTc/syxMxMJGsF >>>> Z2V0e1GCFjhDf+PBoBRIO0tJw5fhSR7RUhWT5HeZ5OuP412XtjyLH1eRJqKShh+x >>>> VBL+7btpC5CwhDyHtM35UXCwM43tkuXo3uF8FibZn3AgxKM7EZJ0NndwK5od0kW1 >>>> PaTmUqeODXJZdXjceVF4dYeTt6GfSvzfrtXiPMIogk0w0Z2bJi5Sj/w7tr1x7VPH >>>> ls8kccXKVCKp0kigoEMLD86DzznKd1c4r+rZguEGycQQfN8MIpzc8wQZEm61nx0= >>>> =aiMO >>>> -----END PGP SIGNATURE----- >>>> >>>> >>>> _______________________________________________ >>>> squid-users mailing list >>>> squid-users@lists.squid-cache.org >>>> http://lists.squid-cache.org/listinfo/squid-users >>>> >>>> >>>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
