Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass ssl-bump on squid3-dev

    Scheduled Pinned Locked Moved pfSense Packages
    37 Posts 8 Posters 17.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      whitelisted sites are excluded from ssl-bump acl.

      Just remember that squid wildcard is a dot. So to allow onlinebank.com include this way

      onlinebank.com <- allow onlinebank.com site
      .onlinebank.com <- allow any site on onlinebank.com

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • D
        Derf
        last edited by

        Thanks for your quick answer marcelloc.

        I tried to put the sites in the whitelist but it don't do the trick.  :(
        Even after a reboot of the pfSense box, the certificates of the sites that should normally bypass SSL filtering are still signed by the CA of pfSense.

        Is there maybe a way to have one (or more) IP on my LAN to bypass SSL filtering (but not regular HTTP transparent proxy)?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Source ip exception will skip client for both http and https proxy.

          I'll do more testes as soon as possible.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • D
            Derf
            last edited by

            I also tried (without success  :-) to paste the following into the 'custom options' field:

            
            acl bypass_ssl dstdomain .onlinebank.com
            acl bypass_ssl dstdomain .anotherbank.com
            ssl_bump none bypass_ssl
            ssl_bump server-first all
            
            

            … same (lack of  :-\ :-) result with the following in an attempt to bypass ssl bump for an IP on my LAN

            
            acl bypass_ssl src 192.168.0.100/24
            ssl_bump none bypass_ssl
            ssl_bump server-first all
            
            

            I'll continue investigating, maybe by trying to use WPAD instead of ssl bumping

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              Can you test these settings with and without transparent mode?

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • D
                Derf
                last edited by

                Sorry, but I've been busy these days.  ::)

                I just did some tests with an without transparent proxy and it seems that bypassing SSL bump just don't work in either case.
                I think I'll give up SSL filtering for the moment and wait until a more stable version of squid is available…

                1 Reply Last reply Reply Quote 0
                • A
                  aGeekhere
                  last edited by

                  Hi, sorry to dig up a old post but is ssl-bump bypassing on squid3-dev working? Been trying to get windows update working and i am unable to bypass the ssl-bump for windows updates (or adobe updates or installs) either with adding domains in the acls white list or by

                  
                  acl broken_sites dstdomain .update.microsoft.com
                  acl broken_sites dstdomain .ds.download.windowsupdate.com
                  acl broken_sites dstdomain .swupdl.adobe.com
                  acl broken_sites dstdomain .ccmdl.adobe.com
                  ssl_bump none broken_sites
                  
                  always_direct allow all
                  ssl_bump server-first all
                  
                  

                  Any ideas?

                  Never Fear, A Geek is Here!

                  1 Reply Last reply Reply Quote 0
                  • technicalT
                    technical
                    last edited by

                    Windows activation sites also not bump squid stopping services

                    http://support.microsoft.com/kb/921471

                    Here my config
                    Custom ACLS (Before_Auth)

                    acl broken_sites dstdomain .update.microsoft.com
                    acl broken_sites dstdomain .ds.download.windowsupdate.com
                    acl broken_sites dstdomain .activation.sls.microsoft.com
                    acl broken_sites dstdomain .swupdl.adobe.com
                    acl broken_sites dstdomain .ccmdl.adobe.com
                    ssl_bump none broken_sites
                    http_access allow localnet
                    always_direct allow all
                    ssl_bump server-first all
                    

                    Custom ACLS (After_Auth)

                    always_direct allow all
                    ssl_bump server-first all
                    

                    If im delete acl broken_sites dstdomain .activation.sls.microsoft.com squid service working so good but if im include that code squid service stopping

                    Necati Selim GÜNER
                    IT Technician

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @TechnicaL:

                      if I include that code squid service stopping

                      What errors you get on cache.log?

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • W
                        webstor
                        last edited by

                        Hi,

                        I have the same problem that I cannot define ssl_bump overrides.
                        There are no errors in the cache.log or access.log

                        1 Reply Last reply Reply Quote 0
                        • W
                          webstor
                          last edited by

                          It is working with destionation ip's:
                          as example: acl broken_ip dst 199.83.131.101
                          it is showing its original cert.

                          so to make an exception list I think the point is reverse dns.

                          1 Reply Last reply Reply Quote 0
                          • M
                            marian78
                            last edited by

                            can you pleas dear sir explai how to?

                            pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

                            1 Reply Last reply Reply Quote 0
                            • W
                              webstor
                              last edited by

                              I found out, that as example I cannot bypass *.windowsupdate.com or *.google.com.

                              Please note the wildcard is just for understanding, in the acl it should look like this .google.com

                              can anyone please test if he is able to bypass this url https://login.salesforce.com  ?
                              This is one of the urls which can be bypassed without any problems.

                              I think it comes to errors when you try to bypass a hostname which has more ip-adresses.

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                @webstor:

                                It is working with destionation ip's:
                                as example: acl broken_ip dst 199.83.131.101

                                Maybe related to transparent proxy. As squid does not know the dns/fqdn before interception.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • W
                                  webstor
                                  last edited by

                                  yes and no.

                                  He has to generate a certificate for the required domain when bumping server-side first, it is a wildcard generated for the correct domain and not the ip.

                                  I forgot to mention thatyou have to enable resolv dns4 first.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    siceff
                                    last edited by

                                    Hello everyone !
                                    I'm looking for weeks about this issue too… and still have no answer. Here is my configuration : pfsense 2.2, squid3 v3.4.10_2 (pkg 0.2.6).
                                    If configure squid like that : proxy my whole LAN, resolv dns v4 first, transparent http proxy on all interface except WAN, bypass proxy for private addresses. About SSL Interception : enabled on all interface except on WAN with a self-signed certificat (which is included in trusted authority on all computer), adapt certificate "Not before" and I do not check the remote certificate (for test).

                                    Under 'Custom ACLS, before_auth, I try to avoid ssl_bumping for .microsoft.com (for testing purpose).
                                    The Squid service start normaly but when I access to https://www.microsoft.com, it's still be singned with my own CA, so the exception is not working.

                                    Could anyone help me to make this exception working ?

                                    PS: Microsoft KB about ssl exclusion for Windows update, which is my main problem actually : https://support.microsoft.com/kb/885819

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      webstor
                                      last edited by

                                      You could try to make an exception list based on ip's.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned
                                        last edited by

                                        First of all you should not proxy these at all.

                                        1 Reply Last reply Reply Quote 0
                                        • W
                                          webstor
                                          last edited by

                                          He does not want to proxy them, but the problem is the bypass with fqdn's. (acl dstdomain isn't working as it should).

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned
                                            last edited by

                                            You need to tell the client that they should not be proxied… Via proxy.pac plus GPO or whatever. Too late to mess with that once the traffic already hit the transparent proxy!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.