subject:"\[squid\-users\] intercepting tcp\/443 purely for logging purposes"

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Vito A. Smaldino

Many thanks, ASAP i will try.

V

2016-03-21 20:01 GMT+01:00 Jason Haar :

> It's really not much more than what I first posted (I can't send my config
> - it's pretty specific to our site - you'll have to figure out the standard
> stuff yourself)
>
> So this will make a squid-3.5 server capable of doing "transparent HTTPS"
> without any fiddling with the transactions. Of course it assumes you
> already know how to redirect port 443 traffic onto your proxy, and know how
> to reconfigure the OS to support that too (ie same as transparent HTTP on
> port 80)
>
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
>  cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
>
>
> On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
> vitoantonio.smald...@istruzione.it> wrote:
>
>> Hi all,
>> great, i'm just searching for this. Jason can you kindly post the whole
>> squid.conf?
>> Thanks
>> V
>>
>> 2016-03-20 22:29 GMT+01:00 Jason Haar :
>>
>>> Hi there
>>>
>>> I'm wanting to use tls intercept to just log (well OK, and potentially
>>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>>> intercept that traffic, log it, block on IP addresses if need be, and don't
>>> use ssl-bump beyond that.
>>>
>>> So far the following seems to work perfectly, can someone confirm this
>>> is "supported" - ie that I'm not relying on some bug that might get fixed
>>> later? ;-)
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>>> 256MB
>>> sslcrtd_children 32 startup=15 idle=5
>>> acl SSL_https port 443
>>> ssl_bump splice SSL_https
>>> acl BlacklistedHTTPSsites dstdomain
>>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>>> http_access deny BlacklistedHTTPSsites
>>>
>>> The "bug" comment comes down to how acl seems to work. I half-expected
>>> the above not to work - but it does. It would appear squid will treat an
>>> intercept's dst IP as the "dns name" as that's all it's got - so
>>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>>> IP addresses
>>>
>>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>>> running a https_port, and for it to support "intercept", and to do that
>>> squid insists on "ssl-bump" too - although that seems likely was a
>>> programmer assumption that didn't include people like me doing mad things
>>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>>> suffice as it's never used?
>>>
>>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic
>>> is supported via the proxy, with all TLS security decisions residing on the
>>> client. I get my logs, and if I want to block some known bad IP address, I
>>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>>> the tcp/443 connection - which is as good as it gets without getting into
>>> the wonderful world of real "bump"
>>>
>>> --
>>> Cheers
>>>
>>> Jason Haar
>>> Information Security Manager, Trimble Navigation Ltd.
>>> Phone: +1 408 481 8171
>>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> --
>>> Vito A. Smaldino
>>>
>>> 
>>
>>
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> --
> Vito A. Smaldino
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar

It's really not much more than what I first posted (I can't send my config
- it's pretty specific to our site - you'll have to figure out the standard
stuff yourself)

So this will make a squid-3.5 server capable of doing "transparent HTTPS"
without any fiddling with the transactions. Of course it assumes you
already know how to redirect port 443 traffic onto your proxy, and know how
to reconfigure the OS to support that too (ie same as transparent HTTP on
port 80)

acl BlacklistedHTTPSsites dstdomain
"/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
 cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https


On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
vitoantonio.smald...@istruzione.it> wrote:

> Hi all,
> great, i'm just searching for this. Jason can you kindly post the whole
> squid.conf?
> Thanks
> V
>
> 2016-03-20 22:29 GMT+01:00 Jason Haar :
>
>> Hi there
>>
>> I'm wanting to use tls intercept to just log (well OK, and potentially
>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>> intercept that traffic, log it, block on IP addresses if need be, and don't
>> use ssl-bump beyond that.
>>
>> So far the following seems to work perfectly, can someone confirm this is
>> "supported" - ie that I'm not relying on some bug that might get fixed
>> later? ;-)
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>> 256MB
>> sslcrtd_children 32 startup=15 idle=5
>> acl SSL_https port 443
>> ssl_bump splice SSL_https
>> acl BlacklistedHTTPSsites dstdomain
>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>> http_access deny BlacklistedHTTPSsites
>>
>> The "bug" comment comes down to how acl seems to work. I half-expected
>> the above not to work - but it does. It would appear squid will treat an
>> intercept's dst IP as the "dns name" as that's all it's got - so
>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>> IP addresses
>>
>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>> running a https_port, and for it to support "intercept", and to do that
>> squid insists on "ssl-bump" too - although that seems likely was a
>> programmer assumption that didn't include people like me doing mad things
>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>> suffice as it's never used?
>>
>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
>> supported via the proxy, with all TLS security decisions residing on the
>> client. I get my logs, and if I want to block some known bad IP address, I
>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>> the tcp/443 connection - which is as good as it gets without getting into
>> the wonderful world of real "bump"
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> --
>> Vito A. Smaldino
>>
>> 
>
>


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Vito A. Smaldino

Hi all,
great, i'm just searching for this. Jason can you kindly post the whole
squid.conf?
Thanks
V

2016-03-20 22:29 GMT+01:00 Jason Haar :

> Hi there
>
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
>
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
>
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses
>
> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
> running a https_port, and for it to support "intercept", and to do that
> squid insists on "ssl-bump" too - although that seems likely was a
> programmer assumption that didn't include people like me doing mad things
> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
> suffice as it's never used?
>
> So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
> supported via the proxy, with all TLS security decisions residing on the
> client. I get my logs, and if I want to block some known bad IP address, I
> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
> the tcp/443 connection - which is as good as it gets without getting into
> the wonderful world of real "bump"
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> --
> Vito A. Smaldino
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Jason Haar

Yeah I know that, but there are issues with invoking peek: like the host
forgery checks suddenly kick in, and squid starts seeing SSL errors
(probably due to CentOS6 not supporting the newest standards that Chrome
uses) and then squid starts blocking things. That's why I'm sticking to
this simplest case for the moment and avoid the "peek" call


Thanks!

Jason

On Mon, Mar 21, 2016 at 8:53 PM, Amos Jeffries  wrote:

> On 21/03/2016 10:29 a.m., Jason Haar wrote:
> > Hi there
> >
> > I'm wanting to use tls intercept to just log (well OK, and potentially
> > block) HTTPS sites based on hostnames (from SNI), but have had problems
> > even in peek-and-splice mode. So I'm willing to compromise and instead
> just
> > intercept that traffic, log it, block on IP addresses if need be, and
> don't
> > use ssl-bump beyond that.
> >
> > So far the following seems to work perfectly, can someone confirm this is
> > "supported" - ie that I'm not relying on some bug that might get fixed
> > later? ;-)
> >
>
> It is supporteed.
>
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
> 256MB
> > sslcrtd_children 32 startup=15 idle=5
> > acl SSL_https port 443
> > ssl_bump splice SSL_https
> > acl BlacklistedHTTPSsites dstdomain
> > "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> > http_access deny BlacklistedHTTPSsites
> >
> > The "bug" comment comes down to how acl seems to work. I half-expected
> the
> > above not to work - but it does. It would appear squid will treat an
> > intercept's dst IP as the "dns name" as that's all it's got - so
> > "dstdomain" works fine for both CONNECT and intercept IFF the acl
> contains
> > IP addresses
>
> This is because the ssl_bump rules are saying to splice immediately when
> only the pseudo-CONNECT with an IP address is known.
>
> If you use this:
>  ssl_bump peek all
>  ssl_bump splice all
>
> it will peek at the client SNI and server public cert details before
> dropping back to a transparent pass-tru. Then it will have that domain
> and any other non-encrypted details available for logging.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

2016-03-21 Thread Amos Jeffries

On 21/03/2016 10:29 a.m., Jason Haar wrote:
> Hi there
> 
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
> 
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
> 

It is supporteed.

> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> 
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses

This is because the ssl_bump rules are saying to splice immediately when
only the pseudo-CONNECT with an IP address is known.

If you use this:
 ssl_bump peek all
 ssl_bump splice all

it will peek at the client SNI and server public cert details before
dropping back to a transparent pass-tru. Then it will have that domain
and any other non-encrypted details available for logging.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] intercepting tcp/443 purely for logging purposes

2016-03-20 Thread Jason Haar

Hi there

I'm wanting to use tls intercept to just log (well OK, and potentially
block) HTTPS sites based on hostnames (from SNI), but have had problems
even in peek-and-splice mode. So I'm willing to compromise and instead just
intercept that traffic, log it, block on IP addresses if need be, and don't
use ssl-bump beyond that.

So far the following seems to work perfectly, can someone confirm this is
"supported" - ie that I'm not relying on some bug that might get fixed
later? ;-)

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https
acl BlacklistedHTTPSsites dstdomain
"/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites

The "bug" comment comes down to how acl seems to work. I half-expected the
above not to work - but it does. It would appear squid will treat an
intercept's dst IP as the "dns name" as that's all it's got - so
"dstdomain" works fine for both CONNECT and intercept IFF the acl contains
IP addresses

I was hoping I wouldn't need ssl-bump at all, but you need squid to be
running a https_port, and for it to support "intercept", and to do that
squid insists on "ssl-bump" too - although that seems likely was a
programmer assumption that didn't include people like me doing mad things
like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
suffice as it's never used?

So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
supported via the proxy, with all TLS security decisions residing on the
client. I get my logs, and if I want to block some known bad IP address, I
can: CONNECT causes a 403 HTTP error page and intercept basically ditches
the tcp/443 connection - which is as good as it gets without getting into
the wonderful world of real "bump"

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

Re: [squid-users] intercepting tcp/443 purely for logging purposes

[squid-users] intercepting tcp/443 purely for logging purposes

6 matches

Site Navigation

Mail list logo

Footer information