Hi Below is my squid configuration
Squid : 3.5.13 OS ubuntu 14.04 http_port 3128 http_port 3127 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl blocked ssl::server_name "/etc/squid/blocked_https.txt" acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump terminate blocked ssl_bump splice all sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 16 startup=1 idle=1 sslproxy_capath /etc/ssl/certs sslproxy_cert_error allow all ssl_unclean_shutdown on I want to block facebook.com so I have added url in .txt file. Its not blocking anything. Please let me know what I have to change in this configuration I getting below logs in squid 1463478160.585 551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478160.585 550 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478161.147 562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478161.147 561 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478163.982 553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478163.982 552 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478163.994 565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478163.994 564 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443 - HIER_NONE/- - 1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 - 1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 - 1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443 - HIER_NONE/- - 1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 - 1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- - 1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 - 1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443 - HIER_NONE/- - 1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 - 1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 - 1463478231.727 555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478231.727 555 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478232.311 572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478232.311 571 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478246.369 13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443 - HIER_NONE/- - 1463478246.369 13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT 0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 - 1463478246.369 13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- - 1463478246.369 13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 - 1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443 - HIER_NONE/- - 1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 - 1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data - ORIGINAL_DST/216.58.220.3 text/html On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 13/05/2016 5:58 p.m., Reet Vyas wrote: > > Hi Amos/Yuri, > > > > Currently my squid is configured with ssl bump, now I want to use peek > and > > splice. I read in some forum that we don't need to install certificate on > > client's machine. > > > > Splice does not require it. But what you want to do with Squid may > prevent splice being used. So "it depends" ... > > > > As I have already asked before in mailing list to install SSL certificate > > on Android devices, which is not working. > > > > So my question is If I want to use peek and splice for example I want > https > > filtering for > > ... on how you define "filter". > > > proxy websites > > Not sure what you mean by that term. > > > and I dont want ssl for bank websites and > > facebook youtube and gmail. how will it work? Do i need to install SSL > > certifcate on client or not, I am bit confused with peek and splice > thing. > > When you intercept port 443 normally only the raw-IP is available from > TCP. Peek allows Squid to get the server name the client was trying to > connect to out of the TLS. So that Squid can handle the intercepted > connection as if it had received a CONNECT message (which usually have > server/domain names). > > Splicing can be thought of as handling a intercepted port 443 connection > as if it were a CONNECT message, with no decryption. It is treated as a > single "thing", with some limited control possibilities. > > > So... > > In order to bump (decrypt) some traffic and splice (not decrypt) other > traffic you need to have a way to decide which type is being dealt with. > That is the peek or stare actions - to get data out of the TLS handshake > for you to use in ACL decisions. > > You might now want to re-read the SslPeekAndSplice documentation again > to see if you understand it better. I skipped a lot of important details > to make the description clear. > > > > > > Please let me know is that possible to configure squid 3.5.19 in such a > way > > so that it will bump only proxy websites not FB youtube etc. > > > > Ah. So what are these "proxy websites" you speak of ? > > One thing you need to be clear about is that once the TCP packets enter > Squid they *have* to be "proxied". There is no way to undo TCP accept() > and read() operations. But there are many ways of handling them that > Squid can do. > > PS. you could post your existing config so we can suggest alterations to > it that will lead to it doing your new policy. That can be another way > to learn how the relevant-to-you part of the features work without > diving into the full complexity of what *might* be doable. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users