Re: [squid-users] SSL_bump and source IP
On 11.01.17 11:37, FredB wrote: I'm searching a way to exclude an user (account) or an IP from my lan I can exclude a destination domain to decryption with SSL_bump simply define an ACL and deny bumping it. but not all requests from a specific source what do you mean here? , maybe because I'm using x-forwarded ? x-forwarded-for has nothing to do with this Maybe you should rephrase the question so we understant you better. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
> but not all requests from a specific source > what do you mean here? I mean no ssl-bump at all for a specific user, no matter the destinations I tried some acl without success >>, maybe because I'm using x-forwarded ? > x-forwarded-for has nothing to do with this There is a known bug with sslbump and x-forwarded (bug about log) maybe there is a relation, my "fake" address is not known or something like this ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
On 12/01/2017 1:04 a.m., FredB wrote: > >> but not all requests from a specific source > >> what do you mean here? > > I mean no ssl-bump at all for a specific user, no matter the destinations > I tried some acl without success At the time of bumping Squid has no idea what a "user" is and things like the X-Forwarded-For are probably also unknown/unavailable. All you can assume being known about the client is the TCP detail (IP:port), perhapse an IDENT label or TOS marking. Though I'm not sure of the latter two. > >>> , maybe because I'm using x-forwarded ? > >> x-forwarded-for has nothing to do with this > > There is a known bug with sslbump and x-forwarded (bug about log) maybe there > is a relation, my "fake" address is not known or something like this That bug is relevant only in the case of clients being configured to use the proxy as a forward/explicit proxy (no intercept or tproxy). In the non-relevant traffic types XFF header is simply not existing, period. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ? I have already some ACL based on authentication (user azerty = with/without some rules) FredBb ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
Have you considered an external_acl that will help you to do this by the mac address or by another way like a "bypass" portal? With mac addresses DB you can know if the device is from one manufacturer or another. The hackers in your network will always find a way to bypass ssl bump eventually since there are other ports but it's something. I am not sure but if there was a way to find them by the form of the TLS hello then I believe it would be simple enough to identify these but I am not sure how possible is that. I can write a pseudo in ruby that will help to identify vendors by MAC address based on: https://github.com/royhills/arp-scan/blob/master/get-oui https://github.com/joemiller/mac-to-vendor Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of FredB Sent: Thursday, February 2, 2017 10:03 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL_bump and source IP So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ? I have already some ACL based on authentication (user azerty = with/without some rules) FredBb ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
Thanks Eliezer Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ? Fredb ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
I am with you on this. Unfortunately, the way a certain subject turns out not easy for someone in school, so does ssl_bump to me! On 2 February 2017 at 14:37, FredB wrote: > Thanks Eliezer > > Unfortunately my "lan" is huge, many thousands of people, and MAC > addresses are not known > I'm very surprised, I'm alone with this ? Nobody needs to exclude some > users from SSLBump ? > > Fredb > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
The terminology may be confusing: ssl_bump means more or less "looking at HTTPS traffic" ssl_bump splice means "do not bump/intercept HTTPS traffic. No fake CA certificates are used" ssl_bump bumpmeans "bump/intercept HTTPS traffic and use a fake CA certificate" So the question is not about ssl_bump but about "ssl_bump bump". To prevent the active bump, you need an acl to splice (leave the connection alone) Something like this: acl tls_s1_connect at_step SslBump1 acl tls_vip_usersfill-in-your-details ssl_bump splicetls_vip_users# do not peek/bump vip users ssl_bump peek tls_s1_connect # peek at connections of other users ssl_bump stare all # peek/stare at the server side of connections of other users ssl_bump bump all # bump connections of other users Marcus On 11/01/17 09:50, Matus UHLAR - fantomas wrote: On 11.01.17 11:37, FredB wrote: I'm searching a way to exclude an user (account) or an IP from my lan I can exclude a destination domain to decryption with SSL_bump simply define an ACL and deny bumping it. but not all requests from a specific source what do you mean here? , maybe because I'm using x-forwarded ? x-forwarded-for has nothing to do with this Maybe you should rephrase the question so we understant you better. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
> > acl tls_s1_connect at_step SslBump1 > > acl tls_vip_usersfill-in-your-details > > ssl_bump splicetls_vip_users # do not peek/bump vip users > ssl_bump peek tls_s1_connect # peek at connections of other > users > ssl_bump stare all# peek/stare at the server side > of > connections of other users > ssl_bump bump all# bump connections of other > users > Great, I will take a look there are some words about this in wiki ? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_bump and source IP
You are not alone but you first need to define and understand your goals in a more technical way. Squid can understand HTTP TLS\SSL IP and LAYER 2 MAC address. If in one of these you can recognize that the client needs to be bypassed from SSL BUMP or interception in general you would be able to make it work. If you have a portal that only android or mobile users can run and be identified at then you will need to first bump but give these specific users the option to somehow in the IP or LAYER 2 level be bypassed from being bumped. If you have a WIFI network you can somehow make a trick with your radius server and usernames that will allow some clients((by IP) to be bypassed based on an external acl helper. What do you think? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of FredB Sent: Thursday, February 2, 2017 1:38 PM Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] SSL_bump and source IP Thanks Eliezer Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ? Fredb ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
