a decent way to speed up Facebook?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

a decent way to speed up Facebook?

tkalfaoglu

Hello there. I have a transparent squid at my home to speed up the browsing by caching stuff.  And it works well for HTTP.

For HTTPS, I was only able to get it to "peek" and I'd like to able to bump the connections.

I installed the server certificate on the client, but still, the browser (firefox) keeps complaining:

Your connection is not secure
The owner of www.facebook.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Here is what I have:
#
# serverIsBank is a list of domains that are banks essentially. They seem more picky.
#
ssl_bump splice serverIsBank
ssl_bump peek all
# ssl_bump bump all    # this does not work, it gives the error above..

https_port 3129 intercept ssl-bump \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        cert=/etc/squid/ssl_cert/tk2ca.pem key=/etc/squid/ssl_cert/tk2ca.pem \
       sslflags=NO_SESSION_REUSE
tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
sslproxy_cert_error allow all
sslcrtd_program  /usr/lib64/squid/security_file_certgen  -s /var/lib/ssl_db -M $
sslcrtd_children 50 startup=5 idle=5


Thanks, -turgut



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: a decent way to speed up Facebook?

Amos Jeffries
Administrator
On 5/09/18 4:44 AM, turgut kalfaoğlu wrote:

> Hello there. I have a transparent squid at my home to speed up the
> browsing by caching stuff.  And it works well for HTTP.
>
> For HTTPS, I was only able to get it to "peek" and I'd like to able to
> bump the connections.
>
> I installed the server certificate on the client, but still, the browser
> (firefox) keeps complaining:
>
> Your connection is not secure
> The owner of www.facebook.com has configured their website improperly.
> To protect your information from being stolen, Firefox has not connected
> to this website.
> This site uses HTTP Strict Transport Security (HSTS) to specify that
> Firefox may only connect to it securely. As a result, it is not possible
> to add an exception for this certificate.

Squid removes HSTS from any network traffic it handles (except splice'd
traffic). So clearing the browser info and ensuring that the other
non-HTTP protocols Browser like to use these days (eg QUIC, SPDY,
WebSockets, HTTP/2) are not happening should resolve this issue.

If you do not (or cannot) clear the browser info the HSTS should only
last until the TTL it last mentioned in traffic expires - but that can
be a very long timeout.


>
> Here is what I have:
> #
> # serverIsBank is a list of domains that are banks essentially. They
> seem more picky.
> #
> ssl_bump splice serverIsBank
> ssl_bump peek all
> # ssl_bump bump all    # this does not work, it gives the error above..

Try:

 # splice as soon as detected
 ssl_bump splice serverIsBank

 # step 1 - peek to get TLS SNI
 acl step1 at_step SslBump1
 ssl_bump peek step1

 # step 2 - stare to get server cert details for bump
 ssl_bump stare all

 # step 3 - terminate if splice failed, bump everything else
 ssl_bump terminate serverIsBank
 ssl_bump bump all


>
> https_port 3129 intercept ssl-bump \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>         cert=/etc/squid/ssl_cert/tk2ca.pem
> key=/etc/squid/ssl_cert/tk2ca.pem \

When cert= and key= are in the same file you do not need to specify key=.


>        sslflags=NO_SESSION_REUSE
> tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt

That ca-bundle.crt is the global trusted CA right?

If yes, you do not need to manually configure it. The system default CA
/ global Trusted CA are used by default on MITM outgoing connections.


> sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
> sslproxy_cert_error allow all

Remove the above line. It prevents you being told about important problems.

Instead investigate errors that come up, and either fix or ignore on an
individual basis. Some errors are simple and easily avoided, others
depend on your policy about whether the client should be allowed to do
the operation.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users