On 2016-01-26 15:59, Panda Admin wrote:
> Hello, > > I attempting to terminate https traffic based on ACLs using ssl_bumping > WITHOUT de-crypting the traffic in intercept/transparent mode. Has anyone > got this to work before? I have copied my configuration and what my iptables > nat rules look like. > > I am using squid 3.5.13 with the following compile options: > > Squid Cache: Version 3.5.12 > Service Name: squid > configure options: '--prefix=/usr' '--localstatedir=/var' > '--libexecdir=/lib/squid3' '--datadir=/share/squid3' > '--sysconfdir=/etc/squid3' '--with-default-user=proxy' > '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' > '--with-openssl' '-enable-ssl-crtd' '--enable-icap-client' > '--with-large-files' --enable-ltdl-convenience > > squid.conf: > > acl social dstdomain .google.com [1] .facebook.com [2] .reddit.com [3] > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump stare step2 all > ssl_bump terminate social > acl localnet src 192.168.50.0/24 [4] > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access allow all > http_port 3128 transparent > https_port 3129 intercept ssl-bump cert=/etc/squid3/ssl_cert/squidSSL.pem > cache_dir ufs /cache/squid3/spool 100 16 256 > access_log syslog:local5.info [5] squid > coredump_dir /var/spool/squid3 > url_rewrite_program /usr/bin/squidGuard -c > /cache/config/daemons/squidguard/squidGuard.conf > url_rewrite_children 15 > url_rewrite_access allow all > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service service_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav [6] > adaptation_access service_req allow all > icap_service service_resp respmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav [6] > adaptation_access service_resp allow all > > iptables -L -v -t nat(only relevant rules): > > Chain PREROUTING (policy ACCEPT 1083 packets, 233K bytes) > pkts bytes target prot opt in out source > destination > 157 9420 DNAT tcp -- eth1 any anywhere anywhere > tcp dpt:https to:192.168.11.1:3129 [7] > > Chain PREROUTING-daemon-tcp (1 references) > pkts bytes target prot opt in out source > destination > 443 26580 DNAT tcp -- eth1 any anywhere anywhere > tcp dpt:http /* 7:PFD::CF-3128 */ to:192.168.11.1:3128 [8] > 0 0 DNAT tcp -- eth2 any anywhere anywhere > tcp dpt:http /* 8:PFD::CF-3128 */ to:172.17.0.1:3128 [9] > > Right now I can't get it to terminate ANY https traffic. All it does is allow > it through. > Any and all help would be greatly appreciated! > > ~ Extremely Confused Squid User ~ > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users Read: http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389 I'm doing exactly what you're wanting. James Links: ------ [1] http://google.com/ [2] http://facebook.com/ [3] http://reddit.com/ [4] http://192.168.50.0/24 [5] http://local5.info/ [6] http://127.0.0.1:1344/squidclamav [7] http://192.168.11.1:3129/ [8] http://192.168.11.1:3128/ [9] http://172.17.0.1:3128/
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
