Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 5/20/20 6:02 AM, Matus UHLAR - fantomas wrote: >> On 5/19/20 9:24 AM, Matus UHLAR - fantomas wrote: >>> David, note that requiring browsers to connect to your proxy over >>> encrypted (https) connection, and then decrypting tunnels to real server >>> will >>> lower the clients' security > On

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 5/20/20 3:51 AM, David Touzeau wrote: > How to be a sponsor? There are many ways, including these two: 1. You privately find a developer (a person or an organization) and pay them for implementing the changes you need. 2. You post an RFQ to squid-dev and solicit quotes/bids from developers.

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: Hi we want to use squid as * * * Secure Proxy * * * using https_port We have tested major browsers and it seems working good. To make it work, we need to deploy the proxy certificate on all browsers to make the secure connection running. On 19.05.20

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Thanks for the answer details How to be a sponsor ? ( cost ) of such feature Could you think it can be planned for 5.x ? I think it should be a "future" "standard" in the same way of DNS over SSL Le 19/05/2020 à 16:46, Alex Rousskov a écrit : On 18/05/20 10:15 am, David Touzeau wrote: Hi we

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

>> On 18/05/20 10:15 am, David Touzeau wrote: >>> Hi we want to use squid as * * * Secure Proxy * * * using https_port >>> We have tested major browsers and it seems working good. >>> >>> To make it work, we need to deploy the proxy certificate on all browsers >>> to make the secure connection

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 5/19/20 7:15 AM, Amos Jeffries wrote: > On 18/05/20 10:15 am, David Touzeau wrote: >>    >> >> Hi we want to use squid as * * * Secure Proxy * * * using https_port >> We have tested major browsers and it seems working good. >> >> To make it work, we need to deploy the proxy certificate on all

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: Hi we want to use squid as * * * Secure Proxy * * * using https_port We have tested major browsers and it seems working good. To make it work, we need to deploy the proxy certificate on all browsers to make the secure connection running. In this case,

Re: [squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

On 18/05/20 10:15 am, David Touzeau wrote: >    > > Hi we want to use squid as * * * Secure Proxy * * * using https_port > We have tested major browsers and it seems working good. > > To make it work, we need to deploy the proxy certificate on all browsers > to make the secure connection

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Right. that works now. thanks. - George -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 12/12/19 11:38 am, GeorgeShen wrote: > > did a 'openssl dhparam -out dhparams.pem 4096' to generate the dhparams.pem > file, and added those into the squid.conf: > > http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > generate-host-certificates=on

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

did a 'openssl dhparam -out dhparams.pem 4096' to generate the dhparams.pem file, and added those into the squid.conf: http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB *options=SINGLE_DH_USE:SINGLE_ECDH_USE

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 11/12/19 4:00 pm, GeorgeShen wrote: > I'm running the squid latest from download site. 4.9 > Ok, i suspect that was related to my ^C running the process in foreground, > but I also see before that there are warning messages in the log: > 2019/12/09 19:23:12.116 kid1| WARNING: >

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

I'm running the squid latest from download site. 4.9 Ok, i suspect that was related to my ^C running the process in foreground, but I also see before that there are warning messages in the log: 2019/12/09 19:23:12.116 kid1| WARNING: /usr/local/squid/libexec/security_file_certgen -s

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 12/9/19 12:56 PM, GeorgeShen wrote: > and at the end, it is also saying security_file_certgen crashes rapidly!!! I would ignore anything that happens _after_ you press ^C (i.e. send Squid a shutdown signal). While a shutdown should not "crash" any helpers, that is not the problem you are

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 10/12/19 6:46 pm, GeorgeShen wrote: > > I'm wondering if this issue reported last year is fixed: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-4-security-file-certgen-helpers-crashing-td4687098.html > That question implies that you are not using the latest Squid release, or

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

I'm wondering if this issue reported last year is fixed: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-4-security-file-certgen-helpers-crashing-td4687098.html or is there a work around. thanks. - George -- Sent from:

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Hi Alex, this time I tried, a little different, this is the log from got the server certs to colose the SSL with error, and at the end, it is also saying security_file_certgen crashes rapidly!!! below the output of log thanks. - George

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 12/8/19 1:53 AM, George Sheng wrote: > From the debug I can also see the proxy  connects towards the remote > server, and proxy has negotiated fine with the server. the proxy > receives 3 certificates from the server, > and verification was fine to the server. But when the proxy trying to >

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 9/12/19 10:41 am, GeorgeShen wrote: > Hi Amos, > > i downloaded the 4.9 latest, and compiled with "./configure > --with-default-user=proxy --with-openssl --enable-ssl-crtd", not redo the > openssl and proxy certificate part, start squid with 4.9, still seeing > failure. Have not debugged in

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

the version 4.9 has the same behavior, can not finish negotiate with the client. I have setup two different client machines, one is macOS, the other alpine linux. I finally got the macOS wget https to work through the squid 4.9 proxy with ssl-bump. So the squid config is ok. The alpine linux,

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Hi Amos, i downloaded the 4.9 latest, and compiled with "./configure --with-default-user=proxy --with-openssl --enable-ssl-crtd", not redo the openssl and proxy certificate part, start squid with 4.9, still seeing failure. Have not debugged in detail. Quick question, when compile for the bump

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

Hi Amos, thanks for the comments. I'll first try the later version as you pointed out 4.9 and see if I get the issues. Will report back. thanks. - George -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___

Re: [squid-users] Squid Proxy SSL Bump can not retrieve SSL session back to the client?

On 8/12/19 7:53 pm, George Sheng wrote: > > Hi, > > I’m new to this group. I just setup a squid ver 4.5 on my ubuntu When using SSL-Bump one does need to use the latest release. Which is 4.9 now. Since this is a custom build (4.5 has never been a release in Ubuntu) you may find Squid-5 has

Re: [squid-users] Squid 4.6 "SSL routines:tls_parse_stoc_sct:bad extension"

On 16/04/19 10:34 pm, Christian Schnatz wrote: > Hi Everyone, > > we’ve just updated one of our machines to squid 4.6 with openssl 1.1.1 and > ran in some strange errors when accessing *.google.com and apple app/itunes > store domains. > Has anyone else encountered the follow errors and nows

Re: [squid-users] squid 4.5 , ssl bump and c-icap on google sites

Hello! Problem  was on c-icap side, my build had no br support. Thank you! 10.01.2019 14:44, Dmitry Melekhov пишет: Hello! We are testing ssl-bump with squid 4.5. Also we run c-icap with squid. What is strange here -  ssl-bump works for google domains if icap is disabled, but if it

Re: [squid-users] squid 4.5 , ssl bump and c-icap on google sites

On 10/01/19 11:44 pm, Dmitry Melekhov wrote: > Hello! > > > We are testing ssl-bump with squid 4.5. > With what settings? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

> Hi, > > Works “well” on my squid v 4.4 (patched) “ debian 9. > > Although the site does not load well, squid does not die: > > (…) > > TCP_MISS/502 1609 GET > https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - > ORIGINAL_DST/99.84.27.102 text/html > > TCP_MISS/403 684 GET >

Re: [squid-users] Squid 4.4 + SSL bump: Squid is crashing completely opening https://www.drcleaner.com/de/dr-cleaner/

Hi, Works “well” on my squid v 4.4 (patched) “ debian 9. Although the site does not load well, squid does not die: (…) TCP_MISS/502 1609 GET https://cache.drcleaner.com/extend/home/js/jquery-2.0.0.min.js - ORIGINAL_DST/99.84.27.102 text/html TCP_MISS/403 684 GET

Re: [squid-users] Squid 4.4: SSL/certification error messages not displayed with non-english error_directory

On 15/11/18 10:50 PM, i...@schroeffu.ch wrote: > > Changing the error_directory to non-english like german or italian, the > ssl bump error messages like "expired certificate" or "self signed > certificated" are not showing anymore. Browser is just displaying an > ugly error 503. But, other error

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

On 11/2/18 3:47 AM, Sid wrote: > tls_outgoing_options \ >default-ca=off \ >cafile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ >options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE \ > Only issue is Squid sends: >

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

Thank you Amos and Alex for great help & support so far. As per suggestions I have added lot more parameters in squid.conf for both "http" & "tls_outgoing_options" directives: http_port 3128 ssl-bump \ tls-cert=/usr/local/squid/etc/ssl_cert/myCA.pem \

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

On 10/31/18 10:55 PM, Sid wrote: > Actually in my case Server is looking for a certificate to be sent by > client; How to configure Squid to get > this certificate from client for mutual authentication? It is technically impossible to meaningfully forward a client certificate to the origin

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

On 1/11/18 5:55 PM, Sid wrote: > Thank you Alex. > >> Sounds good. Does the generated fake certificate contain the right origin > server name? > Sid: Yes, It does contain correct IP Address in Server name sent by client. > Alex asked about *name*. IP address is not part of the considerations

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

Thank you Alex. >Sounds good. Does the generated fake certificate contain the right origin server name? Sid: Yes, It does contain correct IP Address in Server name sent by client. >Why do you expect the client to send a client certificate to Squid? In most deployments, TLS servers do not

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

On 10/30/18 10:59 PM, Sid wrote: > Sid: I took wireshark on Squid server (centOS 7); I took 2 wiresharks > between Client & Squid and then between Squid & Server. I can see client > being sent fake cert generated by Squid & client responds with "Client key > Exchange", "Change cipher spec",

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

Thank you Alex for the reply. Alex: 1. Servers never send SNI. Clients usually send SNI. Squid should forward SNI it received from the client to the server, provided the client actually sent SNI. Did your client send SNI? Sid: I can see in Client Hello IP Address being sent by Client; so there

Re: [squid-users] Squid 4.3: SSL Bump fails to send client certificate

On 10/30/18 2:36 AM, Sid wrote: > http_port 3128 ssl-bump \ > cert=/usr/local/squid/etc/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > ssl_bump peek step1 > ssl_bump bump all > Browser & HTTP UA Client connections are working with SSL bump

Re: [squid-users] SQUID Proxy - SSL Certificate error

On 18/10/18 3:49 PM, Amos Jeffries wrote: > On 18/10/18 2:31 AM, Vayalpadu, Vedavyas wrote: >> Hi All, >> >> We have an existing SSL certificate for a WebShop URL. It has an >> external IP Natted to a Load Balancer and has 2 reverse-squid proxies >> configured for load balancing. >> >>   >> >> Now

Re: [squid-users] SQUID Proxy - SSL Certificate error

On 18/10/18 2:31 AM, Vayalpadu, Vedavyas wrote: > Hi All, > > We have an existing SSL certificate for a WebShop URL. It has an > external IP Natted to a Load Balancer and has 2 reverse-squid proxies > configured for load balancing. > >   > > Now we need to on-board a new URL with same external

Re: [squid-users] Squid and SSL Bump

On 13/01/18 02:00, Yoinier Hernandez Nieves wrote: The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet" So most of your http_access lines end with group checks. That could be a problem later. Right now its not clear which would be rejecting

Re: [squid-users] Squid and SSL Bump

squid.conf Description: Binary data The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet" Thanks. Yoinier Hernandez Nieves. > El 11/01/2018, a las 10:47 a.m., Amos Jeffries > escribió: > > On 12/01/18 03:24, Yoinier

Re: [squid-users] Squid and SSL Bump

On 12/01/18 03:24, Yoinier Hernandez Nieves wrote: El 11/01/2018, a las 12:46 a.m., Amos Jeffries escribió: On 11/01/18 09:33, Yoinier Hernandez Nieves wrote: I try connect direct to the proxy, and this is the result 1515616366.189 1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT

Re: [squid-users] Squid and SSL Bump

> El 11/01/2018, a las 12:46 a.m., Amos Jeffries > escribió: > > On 11/01/18 09:33, Yoinier Hernandez Nieves wrote: >> I try connect direct to the proxy, and this is the result >> 1515616366.189 1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT >> www.ssllabs.com:443

Re: [squid-users] Squid and SSL Bump

On 11/01/18 09:33, Yoinier Hernandez Nieves wrote: I try connect direct to the proxy, and this is the result 1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 ynieves HIER_DIRECT/64.41.200.100 - 1515616366.207      0 aaa.aaa.aaa.aaa

Re: [squid-users] Squid and SSL Bump

> El 10/01/2018, a las 8:47 a.m., Amos Jeffries escribió: > > On 10/01/18 10:56, Yoinier Hernandez Nieves wrote: >> I answer interline. >>> El 9/01/2018, a las 4:27 p.m., Antony Stone escribió: >>> >>> On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves

Re: [squid-users] Squid and SSL Bump

On 10/01/18 10:56, Yoinier Hernandez Nieves wrote: I answer interline. El 9/01/2018, a las 4:27 p.m., Antony Stone escribió: On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote: I try configure squid 3.5 on CentOS 7 with sslBump. But I have some problems, the first:

Re: [squid-users] Squid and SSL Bump

I answer interline. > El 9/01/2018, a las 4:27 p.m., Antony Stone > escribió: > > On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote: > >> I try configure squid 3.5 on CentOS 7 with sslBump. >> >> But I have some problems, the first: >>

Re: [squid-users] Squid and SSL Bump

On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote: > I try configure squid 3.5 on CentOS 7 with sslBump. > > But I have some problems, the first: > > Some HTTPs sites can access, because squid say what I am are not > authenticated. And other sites, yes I can access. Please

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

I reconfigured add " --with-nat-devpf " (squid-3.5.24 on FreeBSD 9.1) This issue *has been resolved* thanks to Amos Jeffries The follow is my squid version and configure. Squid Cache: Version 3.5.24-20170331-r14150 Service Name: squid configure options: '--prefix=/usr/local/squid'

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

test case 1 : - I changed my squid setting (don't use intercept mode) http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB thab client Web Browser set proxy to 192.168.95.81:3129

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

On 06/07/2017 03:37 AM, Jason Chiu wrote: > 1495699856.074 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 > *Need to adjust which part of the settings?* If that connection is really trying to connect to 127.0.0.1:3129 from Squid point of view, then your interception setup is

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response

Re: [squid-users] Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

On Sat, Mar 04, 2017 at 04:21:19AM +0600, Yuri Voinov wrote: > > > 04.03.2017 3:29, C. L. Martinez пишет: > > Hi all, > > > > After installing Squid 3.5.24 in my Debian testing (many thanks Amos for > > your help), I am trying to configure Squid as https intercept proxy. My > > config

Re: [squid-users] Squid with SSL-Bump on Debian testing: SSL_ERROR_RX_RECORD_TOO_LONG

04.03.2017 3:29, C. L. Martinez пишет: > Hi all, > > After installing Squid 3.5.24 in my Debian testing (many thanks Amos for > your help), I am trying to configure Squid as https intercept proxy. My > config actually is: > > http_port 127.0.0.1:8080 > http_port 127.0.0.1:8081 intercept >

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

If really needed, there is a patch here http://bugs.squid-cache.org/show_bug.cgi?id=3792 But as Amos said this patch is incomplete the CONNECT XFF header contents should also be added to the bumped request Fred ___ squid-users mailing list

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

> > I have the same issue and racked my brain trying to find a solution. > Now, I > see there is no solution for this yet. > > I would appreciate so much if this feature were made available in the > future. > > Eduardo Carneiro > > Yes http://bugs.squid-cache.org/show_bug.cgi?id=4607

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

Amos Jeffries wrote >>> >> >> >> Ok thank you, there is a plan to add this ? Without identification we are >> in the fog all bumped requests are only recorded with 127.0.0.1 >> > > Eventually, yes. I'm not aware of anyone actually working on it at > present though. > > Amos > >

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

On 15/09/2016 10:54 p.m., FredB wrote: > >> >> Above are bumped requests sent inside the tunnel. Proxy #1 did not >> interact with them, so it has no way to add XFF headers. >> >> The SSL-Bump logic does not yet store some things like indirect >> client >> IP and associate them with the bumped

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

> > Above are bumped requests sent inside the tunnel. Proxy #1 did not > interact with them, so it has no way to add XFF headers. > > The SSL-Bump logic does not yet store some things like indirect > client > IP and associate them with the bumped requests. > > Amos > Ok thank you, there is

Re: [squid-users] Squid 3.5.21 ssl bump and x-forward

On 15/09/2016 8:53 p.m., FredB wrote: > Hello, > > I'm testing SSlBump and it works good, however I'm seeing something strange > with two proxies and x-forwarded enabled to the first, some requests are > wrote with the first proxy address. > > user -> squid (fowarded_for on) -> squid

Re: [squid-users] Squid Proxy SSL Bump Certificates

On Thursday 30 June 2016 at 10:53:57, i...@comunicacionesman.com wrote: > What I'm trying to do now is to use an external certificate from a > trusted certificate authority (in this case I'm using a free SSL > certificate from comodo), but I can't see my certificate in the > certificates list

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

Thanks for answer, Alex! Alex Rousskov писал 2016-05-17 00:24: > When access is prohibited via http_access deny, Squid needs to send an > "Access Denied" error response to the user (this is how http_access > works). To send that error to the user, Squid needs to establish a > secure connection

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

On 05/16/2016 04:47 AM, admin wrote: >>> acl blocked_https ssl::server_name "/etc/squid/urls/block-url" >>> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 >>> connection-auth=off cert=/etc/squid/squidCA.pem >>> acl step1 at_step SslBump1 >>> ssl_bump peek step1 >>> ssl_bump

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

Amos Jeffries писал 2016-05-16 13:34: > Please upgrade to 3.5.19. Upgrade to 3.5.19 >> acl blocked_https ssl::server_name "/etc/squid/urls/block-url" >> https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 >> connection-auth=off cert=/etc/squid/squidCA.pem >> acl step1 at_step

Re: [squid-users] Squid 3.5.17 SSL-Bump Step1

On 16/05/2016 5:48 p.m., admin wrote: > Hi! > > Squid 3.5.17 with SSL, intercept. Please upgrade to 3.5.19. > > I use SSL-Bump only step1 that get SNI and terminate HTTPS sites by > domain name. The certificate's is not replaced ! The certificate is never replaced. Though if you dont know how

Re: [squid-users] squid 3.4.8 ssl-bump resolve ip in access.log

On 2/12/2015 12:40 a.m., LANGLOIS Nicolas wrote: > Hi, i'm trying to set up squid 3.4.8 on debian , i want a full transparent > proxy, no conf on client side . That is not what "fully transparent" means. The best form of transparent proxy is when clients are auto-configured with explicit-proxy

Re: [squid-users] squid 3.4.8 ssl-bump resolve ip in access.log

...@lists.squid-cache.org] De la part de Amos Jeffries Envoyé : mardi 1 décembre 2015 13:18 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] squid 3.4.8 ssl-bump resolve ip in access.log On 2/12/2015 12:40 a.m., LANGLOIS Nicolas wrote: > Hi, i'm trying to set up squid 3.

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

On 22/10/2015 7:31 a.m., luizcasey wrote: > > > Hello, So what I am trying to accomplish here is to basically have a > whitelist of domains that is allowed via http/https. What you have actually configured is a whitelist with MUCH narrower criteria than that. > If the UID is > squid,apache,

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 BTW - you omit many important settings from squid.conf.default. You configuration is so dangerous. 22.10.15 20:01, luizca...@gmail.com пишет: > Here is the config I am currently using based on your suggestion earlier. > However it does not

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

On 23/10/2015 3:01 a.m., luizca...@gmail.com wrote: > Here is the config I am currently using based on your suggestion earlier. > However it does not start. I have also added some questions to each for > verification purposes to make sure I am understanding what is actually going > on. > >

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on. https_port 4827 intercept ssl-bump generate-host-certificates=on

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 First, you should put in order configurations. 22.10.15 0:31, luizca...@gmail.com пишет: > Hello, > So what I am trying to accomplish here is to basically have a whitelist of domains that is allowed via http/https. If the UID is squid,apache, or

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

this I am open for suggestion. This configuration minus the peek/splice part works fine in 3.4.2. Not sure what changed in > 3.5 that causes this to fail. > > >> Date: Thu, 22 Oct 2015 00:59:36 +0600 >> From: Yuri Voinov <yvoi...@gmail.com> >> To: squid-users@lists.squ

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Show piece of allowed_domains file. 22.10.15 2:29, luizca...@gmail.com пишет: > Could you suggest a configuration that you think should be working ? I would > like both HTTP/HTTPS domains whitelisted via file all other domains blocked. What am

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

squid-cache.org > Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains > issue > Message-ID: <5627e098.1000...@gmail.com> > Content-Type: text/plain; charset="utf-8" > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Firs

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

Could you suggest a configuration that you think should be working ? I would like both HTTP/HTTPS domains whitelisted via file all other domains blocked. What am I missing ? My assumption here is the acl nobumpSites ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” part is not

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

There really isn’t anything in there right now since I am testing. /etc/squid/git_allowed_domains/allowed_domains" .facebook.com .cnn.com ___ squid-users mailing list squid-users@lists.squid-cache.org

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Working config snippet for 3.5.x looks like this: acl get_sni_at_step1 at_step SslBump1 ssl_bump peek get_sni_at_step1 acl spliced_hosts ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump" ssl_bump splice spliced_hosts ssl_bump bump

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

On 10/21/2015 02:49 PM, Yuri Voinov wrote: > Working config snippet for 3.5.x looks like this: > > ssl_bump peek get_sni_at_step1 > ssl_bump splice spliced_hosts > ssl_bump bump net_bump The above config leaves the following question unanswered: Q: What happens if neither spliced_hosts nor

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

Alex, So what do you recommend to do here ? I just need a simple whitelist file for both http/https. I have a config that works on 3.4 but would like to upgrade to 3.5 and the current config we have won't cut it. Just need a simple if you are in this list allow if not deny. No need for any ssl

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

Hi Jason, If you think the external acl method is too expensive to run, how do you expect to feed this NIDS data back into squid? I think you'd find you'd need an external acl check to do that bit anyway :-) I should have been clearer - my use of the term feedback loop was meant to imply that

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 08/01/15 18:41, Chris Bennett wrote: Interesting thread so far. Has anyone thought of using Bro-IDS as a feedback loop for some of this advanced logic for bypassing bumping? The external acl method mentioned earlier probably out-does using some NIDS feedback loop. In my testing it causes

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 06/01/15 05:28, Eliezer Croitoru wrote: In 3.5 there will be present a new feature which called peek and splice that can give an interface to squid and the admin which will allow the admin to know couple things about the connection from squid and specifically first the client TLS request.

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sounds good, but server world is not end on Linux. ;) Now exists another *NIX systems. And will exists further. Also. I have an idea, gents. Do we can easy and quickly detect SSL Pinned destinations? And remember it, for example, in database?

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 01/01/15 00:11, James Harper wrote: The helper connects to the IP:port and tries to obtain the certificate, and then caches the result (in an sqlite database). If it can't do so within a fairly short time it returns failure (but keeps trying a bit longer and caches it for next time).

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

Much of the discussion so far has been about bumping traffic on port 443, bumping SSL-encapsulated HTTP traffic and not bumping (allowing) other traffic. Since port 443 is used for many protocols, it is in many cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443 are common,

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 01/05/2015 11:11 AM, Yuri Voinov wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 And also: don't forget about bogus homebrew internet-bankings. Which is uses bogus SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of them also uses 443 port. And often HTTPS

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think, non-HTTP/HTTPS security issues is never ever Squid function. Squid is not all-in-one-security-solution. It's only HTTP proxy. For others security breches (i.e SSH tunnels, various browser tunnel-related plugins, Tor etc., ) we have

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

Marcus, not to distract from the very important main points being discussed here but I have to question your last line: i.e. there is not yet an interface for this type of traffic inspection. Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or do you just mean that

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wait a minute, gents. What about ICAP? What I skipped? 05.01.2015 20:38, Douglas Davenport пишет: Marcus, not to distract from the very important main points being discussed here but I have to question your last line: i.e. there is not yet an

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2015 05:18 PM, Yuri Voinov wrote: We haven't filtering non_HTTP over port-443. Just recognize and pass. So let's separate security which is one of the goals of squid and which some like and other don't. For now squid 3.4 is stable and 3.5

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Agreed. I'm expert on shell, not Perl/Python. :) But will try to make some useful with it. 05.01.2015 22:28, Eliezer Croitoru пишет: On 01/05/2015 05:18 PM, Yuri Voinov wrote: We haven't filtering non_HTTP over port-443. Just recognize and

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 01/05/2015 12:38 PM, Douglas Davenport wrote: Marcus, not to distract from the very important main points being discussed here but I have to question your last line: i.e. there is not yet an interface for this type of traffic inspection. Is that not the whole point of Squid's ICAP

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We haven't filtering non_HTTP over port-443. Just recognize and pass. 05.01.2015 21:15, Marcus Kool пишет: On 01/05/2015 12:38 PM, Douglas Davenport wrote: Marcus, not to distract from the very important main points being discussed here but I

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To return to Earth: I think, a good idea is built-in (ma be, in ssl_crtd?) functionality to check 443 port connection for Is an HTTPS inside? and if no, do not bump by default. This is so simple and fast, is it? And we can have some config option

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

Seems to me it would be more useful as an external ACL so that a decision could be made based on other factors eg src or dstdomain whether to deny or allow the un-bumpable connection. On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov yvoi...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash:

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 05/01/15 15:44, Eliezer Croitoru wrote: A squid helper is nice but... a NFQUEUE helper that can verify if to FORWARD or BUMP the connection would be a better suited solution to my opinion. Not sure if you're ignoring the ssl-peek work, but squid still needs to be able to peek in order for

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Thread(Jason,Yuri,Douglas...), There are couple aspects about the ssl and connections in general and as we talk about ssl port I first would like to put couple things on the table. * Squid is a http caching proxy and there for every feature

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

On 01/01/15 00:11, James Harper wrote: The helper connects to the IP:port and tries to obtain the certificate, and then caches the result (in an sqlite database). If it can't do so within a fairly short time it returns failure (but keeps trying a bit longer and caches it for next time).

  1   2   >