Quantcast

destination ip to splice

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

destination ip to splice

Eliezer Croitoru
I have a scenario which I want to disable ssl-bump for specific hosts ip
network masks.
In this scenario I want to allow all localnet(10.0.0.0/8, 192.168.0.0/16...)
https traffic to be spliced.
I tried to understand from the acl docs if there is such acl out there but
couldn't understand if it exists.
I am using squid in this scenario as a simple forward proxy and not in
intercept mode.
From the next:
***** ACL TYPES AVAILABLE *****

        acl aclname src ip-address/mask ... # clients IP address [fast]
        acl aclname src addr1-addr2/mask ... # range of addresses [fast]
        acl aclname dst [-n] ip-address/mask ... # URL host's IP
address [slow]
        acl aclname localip ip-address/mask ... # IP address the client
connected to [fast]

Is there a specific one that can help me with that or I should use
ssl::server_name_regex :
(^127\.0\.0\.1)|(^192\.168)|(^10\.)|(^172\.1[6-9])|(^172\.2[0-9])|(^172\.3[0
-1])

??

In intercept mode I can just use iptables to bypass the interception but in
a forward proxy mode I do not see another option.
This might not be the place but, would ever maybe such an option to bypass
squid parsing for specific destinations ie "splice" for special http
requests?

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: destination ip to splice

Alex Rousskov
On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)

How about something like this, adapted from the existing localnet ACL
definition in squid.conf.documented?

>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network (LAN)
>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space (CGN)
>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly plugged)
>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network (LAN)
>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network (LAN)
>   acl to_localnet dst fc00::/7           # RFC 4193 local private network range
>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly plugged)

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: destination ip to splice

Eliezer Croitoru
I tried this with splice but it just doesn't work the requests are still being bumped.
From the docs I understand that it should work on the URL destination hostname and not the ip of the destination hostname.
So my assumption is that it's not in the tcp socket level but the http hostname url-hostname level.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Alex Rousskov [mailto:[hidden email]]
Sent: Tuesday, May 16, 2017 3:31 AM
To: Eliezer Croitoru <[hidden email]>; [hidden email]
Subject: Re: [squid-users] destination ip to splice

On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)

How about something like this, adapted from the existing localnet ACL
definition in squid.conf.documented?

>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network (LAN)
>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space (CGN)
>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly plugged)
>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network (LAN)
>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network (LAN)
>   acl to_localnet dst fc00::/7           # RFC 4193 local private network range
>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly plugged)

Alex.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: destination ip to splice

Alex Rousskov
On 05/15/2017 06:40 PM, Eliezer  Croitoru wrote:
> I tried this with splice but it just doesn't work the requests are still being bumped.

Do you know exactly why they are being bumped? Check the debugging logs
if you do not.


> From the docs I understand that it should work on the URL destination hostname
> and not the ip of the destination hostname.

The dst ACL works on IPs (including, when necessary and allowed, on IPs
obtained from resolved domain names). In a forward-proxy configuration,
those IPs or domains are extracted from the URL. In an ssl_bump context,
that URL comes from the CONNECT request target.


> So my assumption is that it's not in the tcp socket level but the
> http hostname url-hostname level.

What is the exact CONNECT request URL when your dst ACL is being
evaluated in your ssl_bump test case? Does the ACL match? Attach the
corresponding debugging log snippet.

Alex.


> -----Original Message-----
> From: Alex Rousskov [mailto:[hidden email]]
> Sent: Tuesday, May 16, 2017 3:31 AM
> To: Eliezer Croitoru <[hidden email]>; [hidden email]
> Subject: Re: [squid-users] destination ip to splice
>
> On 05/15/2017 06:11 PM, Eliezer  Croitoru wrote:
>> I want to [match] all localnet(10.0.0.0/8, 192.168.0.0/16...)
>
> How about something like this, adapted from the existing localnet ACL
> definition in squid.conf.documented?
>
>>   acl to_localnet dst 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>>   acl to_localnet dst 10.0.0.0/8         # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 100.64.0.0/10      # RFC 6598 shared address space (CGN)
>>   acl to_localnet dst 169.254.0.0/16     # RFC 3927 link-local (directly plugged)
>>   acl to_localnet dst 172.16.0.0/12      # RFC 1918 local private network (LAN)
>>   acl to_localnet dst 192.168.0.0/16     # RFC 1918 local private network (LAN)
>>   acl to_localnet dst fc00::/7           # RFC 4193 local private network range
>>   acl to_localnet dst fe80::/10          # RFC 4291 link-local (directly plugged)
>
> Alex.
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...