Bypass ssl-bump on squid3-dev
-
He does not want to proxy them, but the problem is the bypass with fqdn's. (acl dstdomain isn't working as it should).
-
You need to tell the client that they should not be proxied… Via proxy.pac plus GPO or whatever. Too late to mess with that once the traffic already hit the transparent proxy!
-
Maybe his standardgateway is also the proxy and he does not have the option to use another gateway ?
-
Thank you for taking time to solve my issue !
You're right, my pfsense is not only the proxy, but the router between vlans and my Gateway to internet, so I cannot tell the client to bypass squid.
I try to exclude the destination IP address using :acl ssl_bypass dst 104.66.167.176 ssl_bump none ssl_bypassAnd… that works !!! accessing https://www.microsoft.com stil signed by verisign :-) I'll check tomorrow to exclude all Windows update IPs. Thanks for your help. I'll come back tomorrow 8)
-
You're right, my pfsense is not only the proxy, but the router between vlans and my Gateway to internet, so I cannot tell the client to bypass squid.
Eeeeh? How many proxies are you running and where?
P.S. This MS stuff is a huge CDN, whitelisting individual IPs is just a total no go.
-
Microsoft Windows Update is using only one ip? Cannot believe that.
-
For the moment it is the best solution. Of course it would be better, but the acl dstdomain isn't working as it should.
-
What solution? Cannot see any solution here - acl ssl_bypass dst with a single IP is nonsense and not a solution.
-
Then brinng up a solution depending in that Problem. ACL dstdomain wont work with SSL bump with hosts with multiple IP adresses.
-
Already brought up a solution. Traffic to these domains should not hit a proxy at all. No other input until this gets answered.
-
Thats not a solution.
-
-
Try it yourself. Maybe you should understand SSL bumping first.
-
Why on earth should I try something known to NOT work by design? Stop directing your Windows Update traffic to the transparent SSL proxy. If you want to serve updates locally, use WSUS server or some of the other enterprise solutions intended for that purpose.
-
As mentioned before, not a solution. ;D
-
Hello again !
You're right, it's not possible to exclude the Windows update by IP, that's too big… by the way, I've quite the same problem with teamviewer, which is working, but the event viewer is full of schannel error due to this inspection too. Maybe I could place a WSUS server, but as it's not a main site, it's a lot of trouble for a few PCs.As I understand, the other way is to have a proxy for some sites and no proxy for others based on wpad files. But can I do that when pfsense is my single Gateway/router/NAT of the whole network ? I cannot understand how. Or I have to turn to a non-transparent proxy, so I could proxify some site and exclude others based on proxy port...
Could you explain me what do you think exactly ?
-
As I understand, the other way is to have a proxy for some sites and no proxy for others based on wpad files. But can I do that when pfsense is my single Gateway/router/NAT of the whole network ? I cannot understand how.
I don't understand how's this a problem? See this, e.g.: http://findproxyforurl.com/example-pac-file/
-
He has to generate a certificate for the required domain when bumping server-side first, it is a wildcard generated for the correct domain and not the ip.
I know it is for the site.
the question is, in transparent mode, how could squid know without intercepting that connection from 192.168.1.1 to 64.54.10.10 is a request to microsoft windows update?
Squid will only know the domain after interception, so acl will take no effect.
Also there are some notes about fast and slow acls that not work on this or that squid option.
