SSLBUMP without MITM

doktornotor

And the issue is exactly what? TAG_NONE/XXX means spliced connection. It works. Really nothing to fix here. This is a TCP tunnel, Squid won't handle any HTTP there.

http://squid-web-proxy-cache.1019090.n4.nabble.com/TAG-NONE-xxxx-td4672150.html

If you have issues with some sites, you'll need to use some custom ACL and custom config for that at the moment, I'm afraid.

susamlicubuk

@doktornotor:

And the issue is exactly what? TAG_NONE/XXX means spliced connection. It works. Really nothing to fix here. This is a TCP tunnel, Squid won't handle any HTTP there.

http://squid-web-proxy-cache.1019090.n4.nabble.com/TAG-NONE-xxxx-td4672150.html

If you have issues with some sites, you'll need to use some custom ACL and custom config for that at the moment, I'm afraid.

I have tested it for a long time on the old version
I have tested the following settings
I used 2 different settings

acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

TLS/SSL bumping steps

ssl_bump peek tls_s1_connect all
ssl_bump splice all

peek at TLS/SSL connect data

splice: no active bumping

acl bump_step1 at_step SslBump1
ssl_bump peek bump_step1 all
ssl_bump splice all
sslproxy_cert_error deny all
ssl_bump splice whitelist
ssl_bump bump all

There are too many reverse ip addresses in squid logs.
So the lightsquid report is mixed.
Maybe it's about reverse proxy.
It works fine at startup
But there are some page faults that are sometimes not found when using for a long time.
(Google search result after clicking on page unresponsive or https sites sometimes very slow)
I think squid is having trouble with https dns resolution.
I only saw problems with windows pc's
I have not received any errors on iOS and android mobile devices
This caused the reason for not continuing with wpad for PCs.
But mobile devices can use it.

We can do acl setting but we need to enter too many https domain gui den
A difficult and problematic job
But I added some sites squid- acl- white list
I'm not sure we're adding it this way

..google.com
..google.com.tr

Please manually enter external dns on windows computers and test
This problem is a bit strange
Sometimes page not found or too slow browser problem
For example 8.8.8.8 or open dns
Maybe we can solve this problem with all the DNS requests with the Pfsense redirection rule.

doktornotor

Please, start your own thread. DNS issues are totally off-topic here. Also, this thread is NOT about reverse proxy, at all. Thanks.

Finally, as noted above and linked on the Squid ML, the log is absolutely normal, expected and there is nothing that could be done here. If you don't want things spliced, then don't use splice. If you don't want logs, don't log. If you need logs filtered, you'll need to filter them as you need. And if you want something better than TAG_NONE in logs, you'll need to get that implemented upstream.

shonjir

@doktornotor:

OK, how's this?

https://github.com/pfsense/FreeBSD-ports/pull/269

This is awesome, thanks @doktornotor!  I'll be installing this package and testing shortly.

Edit:  Package works great!  One thing I noticed is that custom MITM options only get added when 'custom' mode is set - the package works fine as is, but a note in the help text would make this clearer.

Thanks again!

shonjir

@jimp:

From the history there it looks like it had a similar problem to squidGuard. Whatever happens, it needs a ground-up rewrite with up-to-date style and practices all-around.

@doktornotor:

Yeah. The XMLs in the linked e2guardian PR would be a good starting point to get a grip of potential feature set. The PHP code there still needs major work, though it must have been a  lot better than SquidGuard, considering I've been able to somehow finish the code style at least. :P

Maybe the right solution isn't to rewrite/replace squidGuard but to abandon it altogether?

There's at least one provider of blocklists that provides Squid ACL format, so from a blocklist/whitelist perspective it seems the necessary functionality is there - what's lacking is translation of the categorized blocklists into Squid ACLs.

It seems that an interface to translate existing squidGuard blocklist format and category management into the necessary ACLs might bridge the gap nicely.  The e2 package might provide base for this.

Is this an approach that might be feasible?

doktornotor

@shonjir:

but a note in the help text would make this clearer.

Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it.  :P (Try clicking the blue "i")

pfsensation

Thanks for the fantastic work Doktornotor. I am loving the new updates to Squid and how user friendly you are making it. Even the small things like the explanation. Helps me out a lot! Thanks again mate!

EDIT : I'm having issues with splice all messing up certain apps such as Telegram, or Instagram (sometimes). On Telegram it was getting no connection to their servers at all, I turned off the splice all setting. Everything worked perfectly, put it back on, messages went through, images didn't work. Turned splice all off, images, everything worked…It's very strange.

doktornotor

Not using Telegram or Instagram (or Facebook, or Twitter). Will be of no help there. Maybe someone else.

shonjir

@doktornotor:

Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it.  :P (Try clicking the blue "i")

Actually I did read them, but the descriptions didn't seem to be fully clear to me.  ???

I do appreciate the updates however - they're working great.  8)

kopraasbotha

Hi All, please can someone explain which settings on the GUI I should change to be able to do same SSLbump without MITM like the OP? I too don't want any certs on clients but want to block HTTPS sites.

Bismarck

@kopraasbotha

Just set Splice All, thats it.

kopraasbotha

@Bismarck, I've tried this. There are still so many SSL cert errors on the workstations. Are there any other fine-tuning I could do?

Bismarck

@kopraasbotha said in SSLBUMP without MITM:

SSL cert errors

There should none, what kind of SSL cert errors you get, example?

kopraasbotha

@Bismarck thanks for the quick reply. I get the below:

Bismarck

@kopraasbotha

This looks like SslBump and not like SpliceAll, to me but I'm not a real Sqiud "Pro" tbh.

Do you have any custom config setup?

Please post the "# SslBump Peek and Splice" part of your /usr/local/etc/squid/squid.conf

kopraasbotha

@Bismarck i didn't add any custom config. Here's the "sslbump peek and splice" config:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl allowed_subnets src 10.11.0.0/21 10.0.0.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Bismarck

@kopraasbotha

Yep, your config is SslBump and not Splice, but dunno why. Maybe some more expert can chime in.

https://wiki.squid-cache.org/Features/SslPeekAndSplice

kopraasbotha

@Bismarck ,thanks for the help. I saw the ssl_bumps just underneath "custom options before auth" but there's a 2 line space between this section and the config so not sure if it's part of it.

Custom options before auth

acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
ssl_bump peek step1
ssl_bump splice all