Header Detection Post SSL Bump in Squid 4.10

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Header Detection Post SSL Bump in Squid 4.10

shubham jain
Hi,

Context:
I want to use Squid as a forward proxy, where I want to
1) send all the Image requests directly, presumably using request header 'accept'
2) send all other requests through a cache peer Proxy service

The req_header directive is working fine for HTTP Requests, but not for HTTPS.

I've done the setup for SSL Bump in here and that's giving decrypted HTTPS requests in the access.log as well.

Issue:
The req_header directive is not working on the decrypted HTTPS requests.

Squid.conf

# SSL Bump Port
http_port 127.0.0.1:3128 ssl-bump cert=/usr/local/etc/cert/example.com.cert key=/usr/local/etc/cert/example.com.private generate-host-certificates=on version=1 options=SINGLE_DH_USE  

# SSL Bump Config
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl imageIsBlocked req_header accept -i image

ssl_bump terminate imageIsBlocked    #terminate is just for testing, to be replaced by splice
ssl_bump bump all

Access.log

1587011751.217    204 127.0.0.1 TCP_MISS/200 393 GET https://dt.adsafeprotected.com/dt? - HIER_DIRECT/104.244.39.20 image/gif
1587011751.264   1050 127.0.0.1 NONE/200 0 CONNECT pagead2.googlesyndication.com:443 - HIER_DIRECT/172.217.13.226 -
1587011751.303    787 127.0.0.1 NONE/200 0 CONNECT pagead2.googlesyndication.com:443 - HIER_DIRECT/172.217.13.226 -
1587011752.246   2846 127.0.0.1 NONE/200 0 CONNECT partners.tremorhub.com:443 - HIER_DIRECT/3.224.28.212 -
1587011753.348   1096 127.0.0.1 TCP_MISS/200 1105 GET https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/3.224.28.212 text/xml
1587011754.152    799 127.0.0.1 TCP_MISS/200 1124 GET https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/3.224.28.212 text/xml
1587011756.091   1934 127.0.0.1 TCP_MISS/200 1086 GET https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/3.224.28.212 text/xml
1587011760.264   4169 127.0.0.1 TCP_MISS_ABORTED/200 1113 GET https://partners.tremorhub.com/syncnoad? - HIER_DIRECT/3.224.28.212 text/xml
1587011760.822    367 127.0.0.1 TCP_MISS/200 1185 POST https://pagead2.googlesyndication.com/pcs/activeview? - HIER_DIRECT/172.217.13.226 image/gif
1587011760.862    407 127.0.0.1 TCP_MISS/200 1185 GET https://pagead2.googlesyndication.com/pcs/activeview? - HIER_DIRECT/172.217.13.226 image/gif

Any help would be appreciated, as I have spent weeks trying to get around the work post SSL Bumping.

Thanks & Regards,

Shubham Jain




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Header Detection Post SSL Bump in Squid 4.10

Amos Jeffries
Administrator
On 16/04/20 5:15 pm, shubham jain wrote:

> Hi,
>
> *Context*:
> I want to use Squid as a forward proxy, where I want to
> 1) send all the Image requests directly, presumably using request header
> 'accept'
> 2) send all other requests through a cache peer Proxy service
>
> The req_header directive is working fine for HTTP Requests, but not for
> HTTPS.
>
> I've done the setup for SSL Bump in here and that's giving decrypted
> HTTPS requests in the access.log as well.
>
> *Issue:*
> The req_header directive is not working on the decrypted HTTPS requests.
>
> *Squid.conf*
>
> # SSL Bump Port
> http_port 127.0.0.1:3128 <http://127.0.0.1:3128> ssl-bump
> cert=/usr/local/etc/cert/example.com.cert
> key=/usr/local/etc/cert/example.com.private
> generate-host-certificates=on version=1 options=SINGLE_DH_USE  
>
> # SSL Bump Config
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> acl imageIsBlocked req_header accept -i image
>
> ssl_bump terminate imageIsBlocked    #terminate is just for testing, to
> be replaced by splice
> ssl_bump bump all


Do the CONNECT tunnels Accept headers contain "image" ?

ssl_bump decides what to do during the TLS handshake process. For your
setup that is only the CONNECT requests.

Once decrypted HTTPS is just HTTP with https:// URLs schemes. It is
controlled by http_access and does not pass through ssl_bump rules again.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users