Re: [squid-users] Issue when SSL bump bypass some domains

From: Neddy, NH. Nam <nam.nh_at_nd24.net>
Date: Wed, 11 Dec 2013 14:12:15 +0700

HI Alex,

Excuse me because I'm not native to English. And thanks your good points.

I changed debug to ALL,9 that's huge, but I found what's wrong with me:

2013/12/11 13:50:06.914 kid1| Acl.cc(156) matches: checking bypass-ssl
2013/12/11 13:50:06.914 kid1| DomainData.cc(131) match:
aclMatchDomainList: checking 'www.website.com'
2013/12/11 13:50:06.914 kid1| DomainData.cc(135) match:
aclMatchDomainList: 'www.website.com' NOT found

And looked back to my config, I should use dstdom_regex instead of
dstdomain if I want to use wildcard here.

Again, thanks for your value comment.
~Neddy,

On Wed, Dec 11, 2013 at 12:50 PM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 12/10/2013 09:13 PM, Neddy, NH. Nam wrote:
>> Hi,
>>
>> I've installed squid 3.4 STABLE for forward proxying with ssl-bump
>> (followed Squid Wiki). Everything is fine until client visit https
>> pages which have bad certificates (ie. seft signed).
>>
>> My configure to tell Squid bypass those:
>>
>> acl bypass-ssl dstdomain *.website.com
>>
>> ssl_bump none bypass-ssl
>> ssl_bump server-first all
>
>
> OK, but please note that the above only works if
>
> a) The CONNECT request is using a domain name;
>
> or
>
> b) The CONNECT request is using an IP address. Squid can get a domain
> name by doing a reverse DNS lookup on that IP address _and_ the result
> of that reverse lookup is the domain name you expect and not some
> internal/irrelevant/different domain.
>
> In many cases, neither (a) nor (b) are true.
>
>
>> The result is Squid bypasses ACL but still do ssl-bump, and client
>> still receive generated cert from Squid.
>
> Sorry, the above sentence is unclear, especially the "Squid bypasses
> ACL" part. You may want to rephrase.
>
>
>> I've expected ssl_bump will not terminate ssl by those
>> directive, If so, what should I do?
>
> Yes, if bypass-ssl matches, Squid should not terminate SSL.
>
>
> Here is the suggested troubleshooting plan.
>
> 1) Collect the CONNECT request that violates your expectations. Use
> "debug_options ALL,2" in squid.conf, packet capture, custom access.log,
> whatever works best for you. Once you have the request, you can repeat
> it if needed, in isolation, using tools like nc, curl, wget, etc.
>
> 2) Determine whether that CONNECT request is using an IP address for the
> tunnel destination. If CONNECT is using a domain name, should the
> bypass-ssl match that domain? If bypass-ssl should match but does not,
> report a bug.
>
> 3) If CONNECT request is using an IP address, perform a reverse DNS
> lookup yourself, using the same DNS resolver that Squid is using. "Dig"
> or even "host" command may be used for that in most cases. Do you get a
> DNS answer with a domain name? Should that domain name match your
> bypass-ssl ACL? If bypass-ssl should match in this case but does not,
> report a bug.
>
> The above plan does not cover all possibilities, but is a good start.
>
> If you need to report a bug, change debug_options to ALL,9; reproduce
> the problem using a single request (with no other traffic going through
> Squid); and post the compressed cache.log.
>
>
> Good luck,
>
> Alex.
>
Received on Wed Dec 11 2013 - 07:12:22 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 11 2013 - 12:00:05 MST