Cannot configure squid 4.6 to splice without bumping

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot configure squid 4.6 to splice without bumping

John Lowry

I've been banging my head on this one for a while. I am setting up parental controls on my network using squidguard. I have a raspberry pi running squid 4.6 and the router has a policy that sends all web traffic from my children's computers to squid.


Everything works correctly for HTTP connections but I cannot get HTTPS to stop bumping. I want to splice all HTTPS connections in order to filter with squidguard but I do not want to ever bump (because it causes browser errors in chrome for a lot of sites). 


I've tried many, many different settings and I always get traffic bumped. Here is an example:


http_port 3128 intercept 

https_port 3129 intercept tls-cert=/etc/squid/ssl_cert/myCA.pem tls-key=/etc/squid/ssl_cert/myCA.pem

...

ssl_bump peek step1

ssl_bump peek step2

ssl_bump splice step2


I've tried setting debug_options to 9 but cannot see anything useful in the logs to indicate why it is not splicing. I always just see the full set of request headers in the logs for HTTPS connections, indicating that the connection is bumped. 


One thing I did notice is that the ssl logformat options do not work. I get errors like this on restart:


FATAL: Can't parse configuration token: '%ssl::>sni'



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot configure squid 4.6 to splice without bumping

Alex Rousskov
On 11/5/19 1:26 AM, John Lowry wrote:

> I've tried many, many different settings and I always get traffic
> bumped. Here is an example:

> http_port 3128 intercept 
>
> https_port 3129 intercept tls-cert=/etc/squid/ssl_cert/myCA.pem
> tls-key=/etc/squid/ssl_cert/myCA.pem

The above configuration does not enable SslBump features.


> ssl_bump peek step1
> ssl_bump peek step2
> ssl_bump splice step2

These rules are poorly written (the last one will never match), but they
are unused because the port directives do not enable SslBump.

If an SSL connection is bumped (or even peeked at!) with the above
configuration, then there is a Squid bug somewhere. However, I do not
think your TLS connections are actually bumped. Please see below.


> I've tried setting debug_options to 9 but cannot see anything useful in
> the logs to indicate why it is not splicing. I always just see the full
> set of request headers in the logs for HTTPS connections, indicating
> that the connection is bumped. 

I suspect your Squid is acting as an intercepting HTTPS proxy: It
terminates all intercepted SSL connections as if they were directed at
the Squid instance itself. The end result will look similar to bumping
from "I can see the headers" point of view.

You may be able to tell the difference by looking at certificate
details: With an HTTPS proxy, all connections will have the same leaf
myCA.pem certificate as opposed to mimicked origin server certificate
signed by myCA.pem. There may be other, more obvious signs like the
details of the "Accepting..." lines that Squid reports at startup.


> One thing I did notice is that the ssl logformat options do not work. I
> get errors like this on restart:

> FATAL: Can't parse configuration token: '%ssl::>sni'

Was your Squid built with OpenSSL support? The details are
version-specific, but you can find them (and the configuration result)
using the following commands:

  ./configure --help | fgrep -5i ssl
  squid -v

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users