Bump and Splice

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bump and Splice

AndyBinder
Hi, i have a question regarding the ssl-bump feature of squid.
I have set up multiple ports for transparent mode on loopback interface and
one explicit on my real local interface. On the loopback interface the
parameters ssl-bump and intercept are set. On the explicit interface the ssl-
bump parameter is set. The ssl-bump is properly configured in acl.
The problem is that i can only configure bump and splice for both (explicit and
transparent).
I would like to achive different bumping behavior on the ports. For example
bump on regular interface and splice all on loopback (transparent proxy).
The bumping behavior is configured globally and i don't see a possibility to
separate it per port.

Maybe somebody has a hint for me?

Thanks, Andy


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bump and Splice

Amos Jeffries
Administrator
On 17/02/20 10:23 pm, AndyBinder wrote:

> Hi, i have a question regarding the ssl-bump feature of squid.
> I have set up multiple ports for transparent mode on loopback interface and
> one explicit on my real local interface. On the loopback interface the
> parameters ssl-bump and intercept are set. On the explicit interface the ssl-
> bump parameter is set. The ssl-bump is properly configured in acl.
> The problem is that i can only configure bump and splice for both (explicit and
> transparent).
> I would like to achive different bumping behavior on the ports. For example
> bump on regular interface and splice all on loopback (transparent proxy).
> The bumping behavior is configured globally and i don't see a possibility to
> separate it per port.
>
> Maybe somebody has a hint for me?

The myportname ACL type should work in ssl_bump directive. It matches
against the name= parameter of port directives.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bump and Splice

AndyBinder
Am Montag, 17. Februar 2020, 10:37:20 CET schrieb Amos Jeffries:

> On 17/02/20 10:23 pm, AndyBinder wrote:
> > Hi, i have a question regarding the ssl-bump feature of squid.
> > I have set up multiple ports for transparent mode on loopback interface
> > and
> > one explicit on my real local interface. On the loopback interface the
> > parameters ssl-bump and intercept are set. On the explicit interface the
> > ssl- bump parameter is set. The ssl-bump is properly configured in acl.
> > The problem is that i can only configure bump and splice for both
> > (explicit and transparent).
> > I would like to achive different bumping behavior on the ports. For
> > example
> > bump on regular interface and splice all on loopback (transparent proxy).
> > The bumping behavior is configured globally and i don't see a possibility
> > to separate it per port.
> >
> > Maybe somebody has a hint for me?
>
> The myportname ACL type should work in ssl_bump directive. It matches
> against the name= parameter of port directives.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Thank You very much for your answer! But i think i am doing something wrong..
In brackets there are the changes i have made.

Sample snippet from my squid.conf:

    http_port 127.0.0.1:3128 name=transparent intercept ssl-bump cert=/var/
squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
    https_port 127.0.0.1:3129 name=transparent intercept ssl-bump cert=/var/
squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

    http_port 192.168.1.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem
dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

    sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/
squid/ssl_crtd -M 4MB
    sslcrtd_children 5

    tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!
eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    acl bump_step1 at_step SslBump1
    acl bump_step2 at_step SslBump2
    acl bump_step3 at_step SslBump3
    acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/
nobumpsites.acl"
--> (acl bump_nobumpport myportname transparent)

    ssl_bump peek bump_step1 all
    ssl_bump peek bump_step2 bump_nobumpsites
--> (ssl_bump peek bump_step2 bump_nobumpport)
    ssl_bump splice bump_step3 bump_nobumpsites
--> (ssl_bump splice bump_step3 bump_nobumpport)
    ssl_bump stare bump_step2
    ssl_bump bump bump_step3

    sslproxy_cert_error deny all
...



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bump and Splice

Alex Rousskov
On 2/17/20 9:56 AM, [hidden email] wrote:
> i think i am doing something wrong..

What exactly is not working now? You have not disclosed what new problem
you are facing, and Amos has given you the correct answer to your
original question.


> In brackets there are the changes i have made.
>
> Sample snippet from my squid.conf:
>
>     http_port 127.0.0.1:3128 name=transparent intercept ssl-bump ..
>     https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ...

I have not checked, but I would not be surprised if some Squid parts
assume (or will assume) that port name is unique. I recommend avoiding
using the same name=value for two *_ports.


>     http_port 192.168.1.1:3128  ssl-bump ...

>     tls_outgoing_options ...

>     acl bump_nobumpsites ssl::server_name ...
> --> (acl bump_nobumpport myportname transparent)
>
>     ssl_bump peek bump_step1 all
>     ssl_bump peek bump_step2 bump_nobumpsites
> --> (ssl_bump peek bump_step2 bump_nobumpport)
>     ssl_bump splice bump_step3 bump_nobumpsites
> --> (ssl_bump splice bump_step3 bump_nobumpport)
>     ssl_bump stare bump_step2
>     ssl_bump bump bump_step3

>     sslproxy_cert_error deny all

I will reorder/polish your rules slightly for clarity sake:

  ssl_bump peek bump_step1
  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump peek bump_step2 bump_nobumpport
  ssl_bump stare bump_step2
  ssl_bump splice bump_step3 bump_nobumpsites
  ssl_bump splice bump_step3 bump_nobumpport
  ssl_bump bump bump_step3

It looks like you are trying to make a splice-or-bump decision at step3.
That is impossible because staring at step2 makes splicing (at step 3)
impossible and, similarly, peeking at step2 makes bumping (at step3)
impossible. Squid skips impossible actions (and provides step2-based
defaults) so your configuration is, essentially:

  # step1
  ssl_bump peek bump_step1

  # step2
  ssl_bump peek bump_step2 bump_nobumpport
  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump stare all

  # step3
  ssl_bump splice all
  ssl_bump bump all

In other words, you were trying to make a splice-or-bump decision at
step3, but modern Squid has to (and does) make that decision at step2.


If you are not peeking at step2 for some useful side effect, then you
can simplify further:

  # step1
  ssl_bump peek bump_step1

  # step2
  ssl_bump splice bump_step2 bump_nobumpport
  ssl_bump splice bump_step2 bump_nobumpsites
  ssl_bump stare all

  # step3
  ssl_bump bump all


Please note that since I do not know what you are trying to accomplish
and what does not work, I cannot say why the above simplified
configuration does not do what you want it to do.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bump and Splice

AndyBinder
Am Dienstag, 18. Februar 2020, 19:42:30 CET schrieb Alex Rousskov:

> On 2/17/20 9:56 AM, [hidden email] wrote:
> > i think i am doing something wrong..
>
> What exactly is not working now? You have not disclosed what new problem
> you are facing, and Amos has given you the correct answer to your
> original question.
>
> > In brackets there are the changes i have made.
> >
> > Sample snippet from my squid.conf:
> >     http_port 127.0.0.1:3128 name=transparent intercept ssl-bump ..
> >     https_port 127.0.0.1:3129 name=transparent intercept ssl-bump ...
>
> I have not checked, but I would not be surprised if some Squid parts
> assume (or will assume) that port name is unique. I recommend avoiding
> using the same name=value for two *_ports.
>
> >     http_port 192.168.1.1:3128  ssl-bump ...
> >
> >     tls_outgoing_options ...
> >
> >     acl bump_nobumpsites ssl::server_name ...
> >
> > --> (acl bump_nobumpport myportname transparent)
> >
> >     ssl_bump peek bump_step1 all
> >     ssl_bump peek bump_step2 bump_nobumpsites
> >
> > --> (ssl_bump peek bump_step2 bump_nobumpport)
> >
> >     ssl_bump splice bump_step3 bump_nobumpsites
> >
> > --> (ssl_bump splice bump_step3 bump_nobumpport)
> >
> >     ssl_bump stare bump_step2
> >     ssl_bump bump bump_step3
> >
> >     sslproxy_cert_error deny all
>
> I will reorder/polish your rules slightly for clarity sake:
>
>   ssl_bump peek bump_step1
>   ssl_bump peek bump_step2 bump_nobumpsites
>   ssl_bump peek bump_step2 bump_nobumpport
>   ssl_bump stare bump_step2
>   ssl_bump splice bump_step3 bump_nobumpsites
>   ssl_bump splice bump_step3 bump_nobumpport
>   ssl_bump bump bump_step3
>
> It looks like you are trying to make a splice-or-bump decision at step3.
> That is impossible because staring at step2 makes splicing (at step 3)
> impossible and, similarly, peeking at step2 makes bumping (at step3)
> impossible. Squid skips impossible actions (and provides step2-based
> defaults) so your configuration is, essentially:
>
>   # step1
>   ssl_bump peek bump_step1
>
>   # step2
>   ssl_bump peek bump_step2 bump_nobumpport
>   ssl_bump peek bump_step2 bump_nobumpsites
>   ssl_bump stare all
>
>   # step3
>   ssl_bump splice all
>   ssl_bump bump all
>
> In other words, you were trying to make a splice-or-bump decision at
> step3, but modern Squid has to (and does) make that decision at step2.
>
>
> If you are not peeking at step2 for some useful side effect, then you
> can simplify further:
>
>   # step1
>   ssl_bump peek bump_step1
>
>   # step2
>   ssl_bump splice bump_step2 bump_nobumpport
>   ssl_bump splice bump_step2 bump_nobumpsites
>   ssl_bump stare all
>
>   # step3
>   ssl_bump bump all
>
>
> Please note that since I do not know what you are trying to accomplish
> and what does not work, I cannot say why the above simplified
> configuration does not do what you want it to do.
>
>
> HTH,
>
> Alex.

Thank You both for your answers and explanations!

Okay, i will try to explain my original intention.

Currently i have 2 working bumping configurations (Squid 4.9):

1. Splice everything (working for blacklisting http and https sites without
Bumping)

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

2. Bump everything except bump_nobumpsites

ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3

Now i try to combine both of them into one configuration and want to decide
weather bumping or splicing via the nametag of the port (=acl
bump_nobumpport).

Final wanted situation in words:

Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must
be visible to match agains blacklisted urls.

@Alex: I tried your configuration examples but the blacklisted urls won't match
on https sites.

Thanks Andy



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bump and Splice

Amos Jeffries
Administrator
On 20/02/20 1:35 am, AndyBinder wrote:
>
> Currently i have 2 working bumping configurations (Squid 4.9):
>
> 1. Splice everything (working for blacklisting http and https sites without
> Bumping)
>
> ssl_bump peek bump_step1 all
> ssl_bump splice all

Following lines are unreachable. You can just erase from the config.

PS. Also you do not need the 'all' ACL on that first line.


> ssl_bump peek bump_step2 all
> ssl_bump splice bump_step3 all
> ssl_bump bump
>
> 2. Bump everything except bump_nobumpsites
>
> ssl_bump peek bump_step1 all
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump splice bump_step3 bump_nobumpsites
> ssl_bump stare bump_step2
> ssl_bump bump bump_step3
>
> Now i try to combine both of them into one configuration and want to decide
> weather bumping or splicing via the nametag of the port (=acl
> bump_nobumpport).
>
> Final wanted situation in words:
>
> Bump everything except bump_nobumpsites and bump_nobumpports, but the SNI must
> be visible to match agains blacklisted urls.

How important is that word "and" in your policy statement?

The config earlier used an OR condition:

  ssl_bump peek bump_step2 bump_nobumpsites
  ssl_bump peek bump_step2 bump_nobumpport

This would be AND condition:

  ssl_bump peek bump_step2 bump_nobumpport bump_nobumpsites


>
> @Alex: I tried your configuration examples but the blacklisted urls won't match
> on https sites.

If you are matching *URLs* that is the problem. Only the domain name is
available during ssl_bump checks. The URL only appears after bumping,
and only from http_access onwards.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users