Many thanks, ASAP i will try. V
2016-03-21 20:01 GMT+01:00 Jason Haar <jason_h...@trimble.com>: > It's really not much more than what I first posted (I can't send my config > - it's pretty specific to our site - you'll have to figure out the standard > stuff yourself) > > So this will make a squid-3.5 server capable of doing "transparent HTTPS" > without any fiddling with the transactions. Of course it assumes you > already know how to redirect port 443 traffic onto your proxy, and know how > to reconfigure the OS to support that too (ie same as transparent HTTP on > port 80) > > acl BlacklistedHTTPSsites dstdomain > "/etc/squid/acl-BlacklistedHTTPSsites.txt" > http_access deny BlacklistedHTTPSsites > https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert > cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on > dynamic_cert_mem_cache_size=256MB options=ALL > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB > sslcrtd_children 32 startup=15 idle=5 > acl SSL_https port 443 > ssl_bump splice SSL_https > > > On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino < > vitoantonio.smald...@istruzione.it> wrote: > >> Hi all, >> great, i'm just searching for this. Jason can you kindly post the whole >> squid.conf? >> Thanks >> V >> >> 2016-03-20 22:29 GMT+01:00 Jason Haar <jason_h...@trimble.com>: >> >>> Hi there >>> >>> I'm wanting to use tls intercept to just log (well OK, and potentially >>> block) HTTPS sites based on hostnames (from SNI), but have had problems >>> even in peek-and-splice mode. So I'm willing to compromise and instead just >>> intercept that traffic, log it, block on IP addresses if need be, and don't >>> use ssl-bump beyond that. >>> >>> So far the following seems to work perfectly, can someone confirm this >>> is "supported" - ie that I'm not relying on some bug that might get fixed >>> later? ;-) >>> >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M >>> 256MB >>> sslcrtd_children 32 startup=15 idle=5 >>> acl SSL_https port 443 >>> ssl_bump splice SSL_https >>> acl BlacklistedHTTPSsites dstdomain >>> "/etc/squid/acl-BlacklistedHTTPSsites.txt" >>> http_access deny BlacklistedHTTPSsites >>> >>> The "bug" comment comes down to how acl seems to work. I half-expected >>> the above not to work - but it does. It would appear squid will treat an >>> intercept's dst IP as the "dns name" as that's all it's got - so >>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains >>> IP addresses >>> >>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be >>> running a https_port, and for it to support "intercept", and to do that >>> squid insists on "ssl-bump" too - although that seems likely was a >>> programmer assumption that didn't include people like me doing mad things >>> like this? :-). I'd also guess I don't need 32 children/etc - 1 would >>> suffice as it's never used? >>> >>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic >>> is supported via the proxy, with all TLS security decisions residing on the >>> client. I get my logs, and if I want to block some known bad IP address, I >>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches >>> the tcp/443 connection - which is as good as it gets without getting into >>> the wonderful world of real "bump" >>> >>> -- >>> Cheers >>> >>> Jason Haar >>> Information Security Manager, Trimble Navigation Ltd. >>> Phone: +1 408 481 8171 >>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> -- >>> Vito A. Smaldino >>> >>> <http://lists.squid-cache.org/listinfo/squid-users> >> >> > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > -- > Vito A. Smaldino > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
