I use this configuration to solve my problem.Whit this configuration at first
step I use bump action for sites that i want to block and show ACCESS_DENIED
page then splice all other requests!!My problem in this config is when my
clients want to see block pages they first see SSL warning in their browser
then after click on exception they will see ACCESS_DENIED page!!
..........acl blk ssl::server_name "/var/blkfiles/url.txt"
http_access deny blkacl step1 at_step SslBump1ssl_bump peek step1ssl_bump bump
blkssl_bump splice all
On Wednesday, February 13, 2019, 9:55:06 AM GMT+3:30,
squid-users-requ...@lists.squid-cache.org
<squid-users-requ...@lists.squid-cache.org> wrote:
Send squid-users mailing list submissions to
squid-users@lists.squid-cache.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-requ...@lists.squid-cache.org
You can reach the person managing the list at
squid-users-ow...@lists.squid-cache.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. ssl-bump does not redirect to block page (leomessi...@yahoo.com)
2. Re: ssl-bump does not redirect to block page (Alex Rousskov)
3. Pass ip to server (erdosain9)
4. Re: Pass ip to server (Joey Officer)
5. Re: Filering HTTPS URLs - A complete configuration (Alex Rousskov)
6. Re: ssl-bump does not redirect to block page
(leomessi...@yahoo.com)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Feb 2019 14:21:34 +0000 (UTC)
From: "leomessi...@yahoo.com" <leomessi...@yahoo.com>
To: squid-users@lists.squid-cache.org
Subject: [squid-users] ssl-bump does not redirect to block page
Message-ID: <1479917107.2282419.1549981294...@mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"
Hi againDo i have to use CA and Certificate configuration if i want to block
only HTTPS requests with splice action?!
https_port 3130 tproxy ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M
4MB
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 12 Feb 2019 08:04:08 -0700
From: Alex Rousskov <rouss...@measurement-factory.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] ssl-bump does not redirect to block page
Message-ID:
<024a80a6-6b15-e9d8-06f9-b9645fbb3...@measurement-factory.com>
Content-Type: text/plain; charset=utf-8
On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote:
> Do i have to use CA and Certificate configuration if i want to block
> only HTTPS requests with splice action?!
IIRC, you currently need a CA certificate if you want to use SslBump,
regardless of the SslBump actions in use. In some ways, this is a
limitation of the current SslBump implementation rather than a natural
requirement, but the CA certificate is needed when Squid reports an
error to the client because Squid has to bump the client connection to
report errors.
If you do not care what happens when handling errors, then you probably
do not need to configure dynamic certificate generation. I have not
tested that, but I assume that, when reporting errors in that case,
Squid will silently revert to using the old code that generates
self-signed certificates (and the client will not trust them).
Please note that it is not clear what you mean by "to block with splice
action" -- splice does not block anything. If you are blocking requests
using http_access rules, then Squid is probably using an (implicit) bump
action to report blocking to the client, as discussed above. Blocking is
an example of errors that may happen even when you do not explicitly
bump any requests.
Alex.
> https_port 3130 tproxy ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M
>4MB
------------------------------
Message: 3
Date: Tue, 12 Feb 2019 09:14:45 -0600 (CST)
From: erdosain9 <erdosa...@gmail.com>
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Pass ip to server
Message-ID: <1549984485300-0.p...@n4.nabble.com>
Content-Type: text/plain; charset=us-ascii
Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the
proxy server send the "real ip".
Because i want to see in the logs of sales.mydomain.com the real ip of the
machine that are going (and not the proxy ip).
I know that i can see this in the log of squid... but, i want to know if it
is possible see this in the other server.
Thanks to all.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
------------------------------
Message: 4
Date: Tue, 12 Feb 2019 16:49:58 +0000
From: Joey Officer <joffi...@istreamfs.com>
To: erdosain9 <erdosa...@gmail.com>,
"squid-users@lists.squid-cache.org"
<squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] Pass ip to server
Message-ID:
<dm5pr19mb1579c05fd36c83ff2d018df8cd...@dm5pr19mb1579.namprd19.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I believe the option you are referring to is the 'forwarded_for' http header.
Reference this: http://www.squid-cache.org/Doc/config/forwarded_for/
Hope that helps you.
-----Original Message-----
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of
erdosain9
Sent: Tuesday, February 12, 2019 9:15 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Pass ip to server
Hi.
I want to know if is possible that, for some site (sales.mydomain.com) the
proxy server send the "real ip".
Because i want to see in the logs of sales.mydomain.com the real ip of the
machine that are going (and not the proxy ip).
I know that i can see this in the log of squid... but, i want to know if it is
possible see this in the other server.
Thanks to all.
--
Sent from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
Message: 5
Date: Tue, 12 Feb 2019 14:48:51 -0700
From: Alex Rousskov <rouss...@measurement-factory.com>
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Filering HTTPS URLs - A complete
configuration
Message-ID:
<ed3096f0-fff0-2f8b-ddc5-e89cdbf92...@measurement-factory.com>
Content-Type: text/plain; charset=utf-8
On 2/11/19 3:55 AM, Paul Doignon wrote:
>> The closest you are going to get to the above is with:
>> * bump everything[1], and
>> * use http_access to check the https:// URLs for your policy
>> * use "deny_info TCP_RESET" [2] on the blocked requests.
>>
>> [1] some things literally cannot be bumped. So a decision needs to be
>> made about what to do then.
> I guess adding this second line will terminate those un-bumpable requests?
No, that second ssl_bump line has no effect -- it will never be reached.
You are probably misinterpreting what was meant by "literally cannot be
bumped". What was meant by that phrase was that bumping certain
connections always results in client and/or server errors, regardless of
how you configure Squid. In those cases, Squid will still perform the
bump action if you tell it to bump, but that action will not lead to a
functioning tunnel through Squid.
In general, Squid itself cannot predict which connections can be
successfully bumped. You have to tell it (using ACLs, like the
whitelisted ACL in the example below).
> ssl_bump bump all
> ssl_bump terminate all
The first line emulates client-first bumping. That is not what you want.
To bump all connections, you could use something like this:
ssl_bump stare all
ssl_bump bump all
To bump all connections except whitelisted ones, you probably want
something like this:
ssl_bump splice whitelisted
ssl_bump stare all
ssl_bump bump all
... where whitelisted is your ACL implementing your white listing policy
(i.e. matching TLS connections that should be spliced). It may use
ssl::server_name and probably other ACLs.
More details at https://wiki.squid-cache.org/Features/SslPeekAndSplice
Alex.
------------------------------
Message: 6
Date: Wed, 13 Feb 2019 06:22:43 +0000 (UTC)
From: "leomessi...@yahoo.com" <leomessi...@yahoo.com>
To: <squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] ssl-bump does not redirect to block page
Message-ID: <974828205.84661.1550038963...@mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"
>> aka the 'bump' action.
> This part is misleading: Modern Squids _automatically_ bump connections
> to report [access denied] errors -- no explicit bump action is required
> (or even desirable). I do not know whether> * that bumping does not happen
> for leo (e.g., due to Squid bugs), or
> * it does happen, but the browser refuses to show the error page anyway
> .(because of certificate pinning and/or because Squid did not have enough
> information to properly bump the client connection using just step1
> knowledge).
> A packet capture or an ALL,2 cache.log may distinguish those two cases.
> Alex.
Hi Alex
Actually i don't understand if it could be done or not!!
Amos said it is impossible you said no!!
can you show me the correct configuration for blocking HTTPS requests with
showing access denied page to clients?!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/d8a98891/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 54, Issue 24
*******************************************
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
