SSLBUMP without MITM
-
OK, how's this?
https://github.com/pfsense/FreeBSD-ports/pull/269
This is awesome, thanks @doktornotor! I'll be installing this package and testing shortly.
Edit: Package works great! One thing I noticed is that custom MITM options only get added when 'custom' mode is set - the package works fine as is, but a note in the help text would make this clearer.
Thanks again!
-
From the history there it looks like it had a similar problem to squidGuard. Whatever happens, it needs a ground-up rewrite with up-to-date style and practices all-around.
Yeah. The XMLs in the linked e2guardian PR would be a good starting point to get a grip of potential feature set. The PHP code there still needs major work, though it must have been a lot better than SquidGuard, considering I've been able to somehow finish the code style at least. :P
Maybe the right solution isn't to rewrite/replace squidGuard but to abandon it altogether?
There's at least one provider of blocklists that provides Squid ACL format, so from a blocklist/whitelist perspective it seems the necessary functionality is there - what's lacking is translation of the categorized blocklists into Squid ACLs.
It seems that an interface to translate existing squidGuard blocklist format and category management into the necessary ACLs might bridge the gap nicely. The e2 package might provide base for this.
Is this an approach that might be feasible?
-
but a note in the help text would make this clearer.
Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it. :P (Try clicking the blue "i")
-
Thanks for the fantastic work Doktornotor. I am loving the new updates to Squid and how user friendly you are making it. Even the small things like the explanation. Helps me out a lot! Thanks again mate!
EDIT : I'm having issues with splice all messing up certain apps such as Telegram, or Instagram (sometimes). On Telegram it was getting no connection to their servers at all, I turned off the splice all setting. Everything worked perfectly, put it back on, messages went through, images didn't work. Turned splice all off, images, everything worked…It's very strange.
-
Not using Telegram or Instagram (or Facebook, or Twitter). Will be of no help there. Maybe someone else.
-
Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it. :P (Try clicking the blue "i")
Actually I did read them, but the descriptions didn't seem to be fully clear to me. ???
I do appreciate the updates however - they're working great. 8)
-
Hi All, please can someone explain which settings on the GUI I should change to be able to do same SSLbump without MITM like the OP? I too don't want any certs on clients but want to block HTTPS sites.
-
-
@Bismarck, I've tried this. There are still so many SSL cert errors on the workstations. Are there any other fine-tuning I could do?
-
@kopraasbotha said in SSLBUMP without MITM:
SSL cert errors
There should none, what kind of SSL cert errors you get, example?
-
@Bismarck thanks for the quick reply. I get the below:
-
This looks like SslBump and not like SpliceAll, to me but I'm not a real Sqiud "Pro" tbh.
Do you have any custom config setup?
Please post the "# SslBump Peek and Splice" part of your /usr/local/etc/squid/squid.conf
-
@Bismarck i didn't add any custom config. Here's the "sslbump peek and splice" config:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl allowed_subnets src 10.11.0.0/21 10.0.0.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports -
Yep, your config is SslBump and not Splice, but dunno why. Maybe some more expert can chime in.
https://wiki.squid-cache.org/Features/SslPeekAndSplice
-
@Bismarck ,thanks for the help. I saw the ssl_bumps just underneath "custom options before auth" but there's a 2 line space between this section and the config so not sure if it's part of it.
Custom options before auth
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
ssl_bump peek step1
ssl_bump splice all
