SSL_bump and source IP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_bump and source IP

FredB
Hello,

I'm searching a way to exclude an user (account) or an IP from my lan
I can exclude a destination domain to decryption with SSL_bump but not all requests from a specific source, maybe because I'm using x-forwarded ?

Thanks

Fred  
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Matus UHLAR - fantomas
On 11.01.17 11:37, FredB wrote:
>I'm searching a way to exclude an user (account) or an IP from my lan
>I can exclude a destination domain to decryption with SSL_bump

simply define an ACL and deny bumping it.

> but not all requests from a specific source

what do you mean here?

>, maybe because I'm using x-forwarded ?

x-forwarded-for has nothing to do with this

Maybe you should rephrase the question so we understant you better.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

FredB
In reply to this post by FredB

> but not all requests from a specific source

> what do you mean here?

I mean no ssl-bump at all for a specific user, no matter the destinations
I tried some acl without success

>>, maybe because I'm using x-forwarded ?

> x-forwarded-for has nothing to do with this

There is a known bug with sslbump and x-forwarded (bug about log) maybe there is a relation, my "fake" address is not known or something like this
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Amos Jeffries
Administrator
On 12/01/2017 1:04 a.m., FredB wrote:
>
>> but not all requests from a specific source
>
>> what do you mean here?
>
> I mean no ssl-bump at all for a specific user, no matter the destinations
> I tried some acl without success

At the time of bumping Squid has no idea what a "user" is and things
like the X-Forwarded-For are probably also unknown/unavailable.

All you can assume being known about the client is the TCP detail
(IP:port), perhapse an IDENT label or TOS marking. Though I'm not sure
of the latter two.


>
>>> , maybe because I'm using x-forwarded ?
>
>> x-forwarded-for has nothing to do with this
>
> There is a known bug with sslbump and x-forwarded (bug about log) maybe there is a relation, my "fake" address is not known or something like this

That bug is relevant only in the case of clients being configured to use
the proxy as a forward/explicit proxy (no intercept or tproxy). In the
non-relevant traffic types XFF header is simply not existing, period.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

FredB
In reply to this post by FredB
So how I can manage computers without my CA ? (eg: laptop temporary connected)
In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ?
I have already some ACL based on authentication (user azerty = with/without some rules)  

FredBb

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Eliezer Croitoru
Have you considered an external_acl that will help you to do this by the mac address or by another way like a "bypass" portal?
With mac addresses DB you can know if the device is from one manufacturer or another.
The hackers in your network will always find a way to bypass ssl bump eventually since there are other ports but it's something.
I am not sure but if there was a way to find them by the form of the TLS hello then I believe it would be simple enough to identify these but I am not sure how possible is that.
I can write a pseudo in ruby that will help to identify vendors by MAC address based on:
https://github.com/royhills/arp-scan/blob/master/get-oui
https://github.com/joemiller/mac-to-vendor

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of FredB
Sent: Thursday, February 2, 2017 10:03 AM
To: [hidden email]
Subject: Re: [squid-users] SSL_bump and source IP

So how I can manage computers without my CA ? (eg: laptop temporary connected) In my situation I have also some smartphones in some case, connected to my squids, how I can exclude them from SSLBump ?
I have already some ACL based on authentication (user azerty = with/without some rules)  

FredBb

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

FredB
Thanks Eliezer

Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known
I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ?

Fredb
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Odhiambo Washington-4
I am with you on this. Unfortunately, the way a certain subject turns out not easy for someone in school, so does ssl_bump to me!

On 2 February 2017 at 14:37, FredB <[hidden email]> wrote:
Thanks Eliezer

Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known
I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ?

Fredb
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Marcus Kool
In reply to this post by Matus UHLAR - fantomas
The terminology may be confusing:
ssl_bump         means more or less "looking at HTTPS traffic"
ssl_bump splice  means "do not bump/intercept HTTPS traffic. No fake CA certificates are used"
ssl_bump bump    means "bump/intercept HTTPS traffic and use a fake CA certificate"

So the question is not about ssl_bump but about "ssl_bump bump".
To prevent the active bump, you need an acl to splice (leave the connection alone)
Something like this:

acl tls_s1_connect      at_step SslBump1

acl tls_vip_users    fill-in-your-details

ssl_bump splice    tls_vip_users # do not peek/bump vip users
ssl_bump peek      tls_s1_connect # peek at connections of other users
ssl_bump stare     all # peek/stare at the server side of connections of other users
ssl_bump bump      all # bump connections of other users

Marcus


On 11/01/17 09:50, Matus UHLAR - fantomas wrote:

> On 11.01.17 11:37, FredB wrote:
>> I'm searching a way to exclude an user (account) or an IP from my lan
>> I can exclude a destination domain to decryption with SSL_bump
>
> simply define an ACL and deny bumping it.
>
>> but not all requests from a specific source
>
> what do you mean here?
>
>> , maybe because I'm using x-forwarded ?
>
> x-forwarded-for has nothing to do with this
>
> Maybe you should rephrase the question so we understant you better.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

FredB

>
> acl tls_s1_connect      at_step SslBump1
>
> acl tls_vip_users    fill-in-your-details
>
> ssl_bump splice    tls_vip_users # do not peek/bump vip users
> ssl_bump peek      tls_s1_connect # peek at connections of other
> users
> ssl_bump stare     all # peek/stare at the server side of
> connections of other users
> ssl_bump bump      all # bump connections of other users
>


Great, I will take a look there are some words about this in wiki ?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_bump and source IP

Eliezer Croitoru
In reply to this post by FredB
You are not alone but you first need to define and understand your goals in a more technical way.
Squid can understand HTTP TLS\SSL IP and LAYER 2 MAC address.
If in one of these you can recognize that the client needs to be bypassed from SSL BUMP or interception in general you would be able to make it work.
If you have a portal that only android or mobile users can run and be identified at then you will need to first bump but give these specific users the option to somehow in the IP or LAYER 2 level be bypassed from being bumped.
If you have a WIFI network you can somehow make a trick with your radius server and usernames that will allow some clients((by IP) to be bypassed based on an external acl helper.

What do you think?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of FredB
Sent: Thursday, February 2, 2017 1:38 PM
Cc: [hidden email]
Subject: Re: [squid-users] SSL_bump and source IP

Thanks Eliezer

Unfortunately my "lan" is huge, many thousands of people, and MAC addresses are not known I'm very surprised, I'm alone with this ? Nobody needs to exclude some users from SSLBump ?

Fredb
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users