[squid-users] Re: HTTPS traffic in normal transparent proxy
Ok, I understand but I thought that sslbump realize it so that the encrypted data from client will be decrypted and it will be encrypted before sending the request to parent proxy (man-in-the-middle). This also should word with https, shouldn't? Can I fix this issue for me? Security is not important, because I only use it for the market on my tablet which needs https and no proxy-support. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657201.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: HTTPS traffic in normal transparent proxy
2012/11/2 Markus m.ferlit...@gmail.com: Ok, I understand but I thought that sslbump realize it so that the encrypted data from client will be decrypted and it will be encrypted before sending the request to parent proxy (man-in-the-middle). This also should word with https, shouldn't? Can I fix this issue for me? Security is not important, because I only use it for the market on my tablet which needs https and no proxy-support. Well unless you installed the cert you are using for your MITM attack as a trusted CA on your client device you'll see the warning, that's kind of the point of SSL. And with android (and chorme?) google sites I think you'll see it even if you install it since they hava a whitelist of CAs for google domains, this was afaik how the Iranian forged google certs were discovered (diginotar). Regards, Eli -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657201.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: HTTPS traffic in normal transparent proxy
Yes, I know but I have the problem that no https site will be opend on the tablet or virtual machine. I can accept the untrustable certificate but website will not be opened. When I try to open https://outlook.com, in cache.log I see that the webbrowser tries to forward to http://outlook.com. Firefox browser detects an endless loop. Is it possible to route https requests on a transparent squid through a other parent https proxy? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657203.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Date: Fri, 2 Nov 2012 05:13:41 -0700 From: m.ferlit...@gmail.com To: squid-users@squid-cache.org Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy Yes, I know but I have the problem that no https site will be opend on the tablet or virtual machine. I can accept the untrustable certificate but website will not be opened. When I try to open https://outlook.com, in cache.log I see that the webbrowser tries to forward to http://outlook.com. Firefox browser detects an endless loop. Is it possible to route https requests on a transparent squid through a other parent https proxy? +1, have had the same problem. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657203.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: HTTPS traffic in normal transparent proxy
Could you resolve this issue? I only tried it with firefox on clients. But I think that IE has same problems. I thought that ssl-bump was made for this. In my case the security is unimportant. But why it not works? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Could you resolve this issue? Na, unfortunately not. I've tried some other squid configurations and now I'm getting Invalid URL: /. I'm currently setting up a VM with squid 3.3. (beta), will post the test result here as soon as I have them. I thought that ssl-bump was made for this. In my case the security is unimportant. But why it not works? If you have an answer to that question please let me know :-) Date: Fri, 2 Nov 2012 05:31:36 -0700 From: m.ferlit...@gmail.com To: squid-users@squid-cache.org Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy Could you resolve this issue? I only tried it with firefox on clients. But I think that IE has same problems. I thought that ssl-bump was made for this. In my case the security is unimportant. But why it not works? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Ok, here are my results: 3.1.2 - didn't managed to get SSL interception working 3.2.3 - didn't managed to get SSL interception working 3.3.0.1 - WORKS! What I did: wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.0.1.tar.gz tar xfvz squid-3.3.0.1.tar.gz ./configure --enable-ssl --enable-ssl-crtd make all make install cd /usr/local/squid mkdir ssl_cert cd ssl_cert openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem openssl x509 -in myCA.pem -outform DER -out myCA.der /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db (plz ensure that '/usr/local/squid/var/lib/' exists) chown -R nobody /usr/local/squid/var/lib/ssl_db Config (/usr/local/squid/etc/squid.conf): http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem always_direct allow all ssl_bump allow all # the following two options are unsafe and not always necessary: sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl our_networks src yournetwork/cidr http_access allow our_networks sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 Ensure that /usr/local/squid/var/logs/access.log and /usr/local/squid/var/logs/cache.log exists (the dirty way: touch chmod 777). In short: Use 3.3 beta and you wont have any problems. If I would have knew that before I wouldn't have had to spend 2 days in with Squid 3.1.2 and 3.2.3 From: heinrichhirtze...@hotmail.com To: m.ferlit...@gmail.com; squid-users@squid-cache.org Date: Fri, 2 Nov 2012 13:36:42 +0100 Subject: RE: [squid-users] Re: HTTPS traffic in normal transparent proxy Could you resolve this issue? Na, unfortunately not. I've tried some other squid configurations and now I'm getting Invalid URL: /. I'm currently setting up a VM with squid 3.3. (beta), will post the test result here as soon as I have them. I thought that ssl-bump was made for this. In my case the security is unimportant. But why it not works? If you have an answer to that question please let me know :-) Date: Fri, 2 Nov 2012 05:31:36 -0700 From: m.ferlit...@gmail.com To: squid-users@squid-cache.org Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy Could you resolve this issue? I only tried it with firefox on clients. But I think that IE has same problems. I thought that ssl-bump was made for this. In my case the security is unimportant. But why it not works? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: HTTPS traffic in normal transparent proxy
Cool! This was my next idea - to try other release of squid. But you don't forward the https request through a other proxy!? cache_peer http/s proxy parent 8080 0 default.. Did you try this or should it also work? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657208.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
nope, I don't forward the https request through another proxy. Just use the config I posted in my previous email and it should work. Date: Fri, 2 Nov 2012 08:39:01 -0700 From: m.ferlit...@gmail.com To: squid-users@squid-cache.org Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy Cool! This was my next idea - to try other release of squid. But you don't forward the https request through a other proxy!? cache_peer http/s proxy parent 8080 0 default.. Did you try this or should it also work? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657208.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: HTTPS traffic in normal transparent proxy
Ok. I only have internet access via a http/s proxy. In your case the proxy server generates a new https request directly to the SSL-webserver but in my case the request must be send via parent http/s proxy. I only enabled dns-requests for this one virtual machine that transparent-mode works. For this I wrote a dns server which can resolv the domain name via http-proxy. ;-) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657210.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Ah right I see, so a different use case :-) Date: Fri, 2 Nov 2012 09:23:25 -0700 From: m.ferlit...@gmail.com To: squid-users@squid-cache.org Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy Ok. I only have internet access via a http/s proxy. In your case the proxy server generates a new https request directly to the SSL-webserver but in my case the request must be send via parent http/s proxy. I only enabled dns-requests for this one virtual machine that transparent-mode works. For this I wrote a dns server which can resolv the domain name via http-proxy. ;-) -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657210.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
On 10/31/2012 05:07 AM, Amm wrote: I have a redirector which blocks certain sites. But in squid logs there is no way to indicate if redirector blocked it. On 10/31/2012 06:36 AM, Amm wrote: I suppose as of now there is no solution. But thanks again. Hi Amm, There is a solution, but it requires switching from a url_rewriter script to an eCAP adapter. Adapters can set annotations (name:value tags) that Squid can log via %adapt::last_h logformat code. Adapters can even block URIs using native Squid blocking functionality with configurable error responses and content negotiation (as if http_access was denied). Adapters have access to more information and add less overhead. However, eCAP adapters are more difficult to write and have other cons so it is difficult to say whether you should wait for helper interface to gain annotations support or switch to eCAP. For more details, see http://wiki.squid-cache.org/Features/eCAP http://wiki.squid-cache.org/SquidFaq/ContentAdaptation HTH, Alex.
Re: [squid-users] add DENIED tag by redirector for easy identification in logfile
- Original Message - From: Alex Rousskov rouss...@measurement-factory.com Hi Amm, There is a solution, but it requires switching from a url_rewriter script to an eCAP adapter. Adapters can set annotations (name:value tags) that Squid can log via %adapt::last_h logformat code. Thanks for suggestion. But writing ecap adapter is difficult for me Currently I figured out a way to identify the blocks by url_redirect_program. Since redirection is to a static page, size of that page is same. So squid always logs same size and also mostly picks it up from cache, hence it also shows REFRESH_UNMODIFIED. Ofcourse not exactly a right way to identify. Regards, Amm.