Re: [squid-users] Squid sslBump traffic inspection

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 12 Jun 2009 03:04:45 +1200

Alex Font wrote:
> Hi All,
>
> I've recently installed Squid 3.1 and configured with sslBump feature in
> order to inspect the https traffic using the squid-in-the-middle method,
> (for legal purposes).
> The browser gets the certificate right (fake certificate), but when i make
> a tcpflow to see the http headers, i see all the traffic encrypted... is
> there a way to inspect the traffic? what i'm doing wrong?

SslBump does not prevent traffic being encrypted.
It decrypts _inside_ squid and re-encrypts on the outbound.

>
> I configured squid sslBump feature as follows:
>
> ########################
> log_mime_hdrs on
> debug_options ALL,9
> #########################
> #visible_hostname localhost
> ssl_bump allow all
> acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow BogusError
> sslproxy_cert_error deny all
> always_direct allow all
> ########################################################################
> cache_store_log /usr/var/logs/store.log
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.26.0.0/16 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all
> #http_port 3128
> http_port 3128 sslBump cert=/usr/etc/nova.pem
> hierarchy_stoplist cgi-bin ?
> refresh_pattern ^http: 1440 20% 10080 override-expire override-lastmod
> reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
> refresh_pattern ^https: 1440 20% 10080 override-expire override-lastmod
> reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> coredump_dir /usr/var/cache
>
> I also tried with c-icap server and configured Squid as a client of it,
> but i receive a lot of error such as:
>
> Laucher.cc(72) noteAdaptationQueryAbort: cannot retry the failed ICAP
> xaction; tries: 1; final: 1;
> AsyncJob.cc(218) dial: Adaptation::Icap::Xaction::noteCommConnected threw
> exception: cannot connect to ICAP service.

Well, there is your problem. Squid "cannot connect to ICAP service" when
you configured it to do so. Fix that and the ICAP service receives the
decrypted traffic.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Received on Thu Jun 11 2009 - 15:04:57 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT