I use this configuration to solve my problem.Whit this configuration at first step I use bump action for sites that i want to block and show ACCESS_DENIED page then splice all other requests!!My problem in this config is when my clients want to see block pages they first see SSL warning in their browser then after click on exception they will see ACCESS_DENIED page!! ..........acl blk ssl::server_name "/var/blkfiles/url.txt" http_access deny blkacl step1 at_step SslBump1ssl_bump peek step1ssl_bump bump blkssl_bump splice all
On Wednesday, February 13, 2019, 9:55:06 AM GMT+3:30, squid-users-requ...@lists.squid-cache.org <squid-users-requ...@lists.squid-cache.org> wrote: Send squid-users mailing list submissions to squid-users@lists.squid-cache.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-requ...@lists.squid-cache.org You can reach the person managing the list at squid-users-ow...@lists.squid-cache.org When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. ssl-bump does not redirect to block page (leomessi...@yahoo.com) 2. Re: ssl-bump does not redirect to block page (Alex Rousskov) 3. Pass ip to server (erdosain9) 4. Re: Pass ip to server (Joey Officer) 5. Re: Filering HTTPS URLs - A complete configuration (Alex Rousskov) 6. Re: ssl-bump does not redirect to block page (leomessi...@yahoo.com) ---------------------------------------------------------------------- Message: 1 Date: Tue, 12 Feb 2019 14:21:34 +0000 (UTC) From: "leomessi...@yahoo.com" <leomessi...@yahoo.com> To: squid-users@lists.squid-cache.org Subject: [squid-users] ssl-bump does not redirect to block page Message-ID: <1479917107.2282419.1549981294...@mail.yahoo.com> Content-Type: text/plain; charset="utf-8" Hi againDo i have to use CA and Certificate configuration if i want to block only HTTPS requests with splice action?! https_port 3130 tproxy ssl-bump \ cert=/etc/squid/ssl_cert/myCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html> ------------------------------ Message: 2 Date: Tue, 12 Feb 2019 08:04:08 -0700 From: Alex Rousskov <rouss...@measurement-factory.com> To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ssl-bump does not redirect to block page Message-ID: <024a80a6-6b15-e9d8-06f9-b9645fbb3...@measurement-factory.com> Content-Type: text/plain; charset=utf-8 On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote: > Do i have to use CA and Certificate configuration if i want to block > only HTTPS requests with splice action?! IIRC, you currently need a CA certificate if you want to use SslBump, regardless of the SslBump actions in use. In some ways, this is a limitation of the current SslBump implementation rather than a natural requirement, but the CA certificate is needed when Squid reports an error to the client because Squid has to bump the client connection to report errors. If you do not care what happens when handling errors, then you probably do not need to configure dynamic certificate generation. I have not tested that, but I assume that, when reporting errors in that case, Squid will silently revert to using the old code that generates self-signed certificates (and the client will not trust them). Please note that it is not clear what you mean by "to block with splice action" -- splice does not block anything. If you are blocking requests using http_access rules, then Squid is probably using an (implicit) bump action to report blocking to the client, as discussed above. Blocking is an example of errors that may happen even when you do not explicitly bump any requests. Alex. > https_port 3130 tproxy ssl-bump \ > cert=/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M >4MB ------------------------------ Message: 3 Date: Tue, 12 Feb 2019 09:14:45 -0600 (CST) From: erdosain9 <erdosa...@gmail.com> To: squid-users@lists.squid-cache.org Subject: [squid-users] Pass ip to server Message-ID: <1549984485300-0.p...@n4.nabble.com> Content-Type: text/plain; charset=us-ascii Hi. I want to know if is possible that, for some site (sales.mydomain.com) the proxy server send the "real ip". Because i want to see in the logs of sales.mydomain.com the real ip of the machine that are going (and not the proxy ip). I know that i can see this in the log of squid... but, i want to know if it is possible see this in the other server. Thanks to all. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ------------------------------ Message: 4 Date: Tue, 12 Feb 2019 16:49:58 +0000 From: Joey Officer <joffi...@istreamfs.com> To: erdosain9 <erdosa...@gmail.com>, "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org> Subject: Re: [squid-users] Pass ip to server Message-ID: <dm5pr19mb1579c05fd36c83ff2d018df8cd...@dm5pr19mb1579.namprd19.prod.outlook.com> Content-Type: text/plain; charset="utf-8" I believe the option you are referring to is the 'forwarded_for' http header. Reference this: http://www.squid-cache.org/Doc/config/forwarded_for/ Hope that helps you. -----Original Message----- From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of erdosain9 Sent: Tuesday, February 12, 2019 9:15 AM To: squid-users@lists.squid-cache.org Subject: [squid-users] Pass ip to server Hi. I want to know if is possible that, for some site (sales.mydomain.com) the proxy server send the "real ip". Because i want to see in the logs of sales.mydomain.com the real ip of the machine that are going (and not the proxy ip). I know that i can see this in the log of squid... but, i want to know if it is possible see this in the other server. Thanks to all. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ------------------------------ Message: 5 Date: Tue, 12 Feb 2019 14:48:51 -0700 From: Alex Rousskov <rouss...@measurement-factory.com> To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Filering HTTPS URLs - A complete configuration Message-ID: <ed3096f0-fff0-2f8b-ddc5-e89cdbf92...@measurement-factory.com> Content-Type: text/plain; charset=utf-8 On 2/11/19 3:55 AM, Paul Doignon wrote: >> The closest you are going to get to the above is with: >> * bump everything[1], and >> * use http_access to check the https:// URLs for your policy >> * use "deny_info TCP_RESET" [2] on the blocked requests. >> >> [1] some things literally cannot be bumped. So a decision needs to be >> made about what to do then. > I guess adding this second line will terminate those un-bumpable requests? No, that second ssl_bump line has no effect -- it will never be reached. You are probably misinterpreting what was meant by "literally cannot be bumped". What was meant by that phrase was that bumping certain connections always results in client and/or server errors, regardless of how you configure Squid. In those cases, Squid will still perform the bump action if you tell it to bump, but that action will not lead to a functioning tunnel through Squid. In general, Squid itself cannot predict which connections can be successfully bumped. You have to tell it (using ACLs, like the whitelisted ACL in the example below). > ssl_bump bump all > ssl_bump terminate all The first line emulates client-first bumping. That is not what you want. To bump all connections, you could use something like this: ssl_bump stare all ssl_bump bump all To bump all connections except whitelisted ones, you probably want something like this: ssl_bump splice whitelisted ssl_bump stare all ssl_bump bump all ... where whitelisted is your ACL implementing your white listing policy (i.e. matching TLS connections that should be spliced). It may use ssl::server_name and probably other ACLs. More details at https://wiki.squid-cache.org/Features/SslPeekAndSplice Alex. ------------------------------ Message: 6 Date: Wed, 13 Feb 2019 06:22:43 +0000 (UTC) From: "leomessi...@yahoo.com" <leomessi...@yahoo.com> To: <squid-users@lists.squid-cache.org> Subject: Re: [squid-users] ssl-bump does not redirect to block page Message-ID: <974828205.84661.1550038963...@mail.yahoo.com> Content-Type: text/plain; charset="utf-8" >> aka the 'bump' action. > This part is misleading: Modern Squids _automatically_ bump connections > to report [access denied] errors -- no explicit bump action is required > (or even desirable). I do not know whether> * that bumping does not happen > for leo (e.g., due to Squid bugs), or > * it does happen, but the browser refuses to show the error page anyway > .(because of certificate pinning and/or because Squid did not have enough > information to properly bump the client connection using just step1 > knowledge). > A packet capture or an ALL,2 cache.log may distinguish those two cases. > Alex. Hi Alex Actually i don't understand if it could be done or not!! Amos said it is impossible you said no!! can you show me the correct configuration for blocking HTTPS requests with showing access denied page to clients?! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/d8a98891/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 54, Issue 24 *******************************************
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users