Proxy Squid - Splice All

Started by querli, July 14, 2017, 03:00:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 14, 2017, 03:00:20 PM
Hallo all...

In Squid 3.5 it is possible to handle a TLS connection with splice all. In this case squid opens a TCP tunnel without decoding the connection. In squidguard (I know opnsense don't use squidguard) it is possible to block these connection with a blacklist (for example shallalist) like every html connection. If I tick Log SNI information only i can see in /usr/local/etc/squid/squid.conf that this is not the splice all action. Is there a way to block https connection without decoding the connection?

Thx.
July 14, 2017, 04:19:30 PM #1
Hi querly,

The option should set splice all:

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L70

It needs SSL bump and SNI options, also a valid certificate.

I am unaware of a problem in this area, so maybe the configuration simple needs a tweak to get it to work. :)


Cheers,
Franco
July 14, 2017, 04:58:19 PM #2
Thx franco for the fast answer.

The problem is, that I often receive cert errors from different sides (hsts). Yes I can put an entry in the SSL no bump sites ... but I don't want to know the content of the connection I only want to block entries form the blacklist even for https...


I' going to try this. If this works maybe it is possible to add this feature in the gui.
July 14, 2017, 05:51:14 PM #3
Ah, it may be a little different from what you expect, I am no expert here so that eludes me. :) A snippet for squid.conf that works would help to find out what your expectation is and how to get it into the GUI as an easy option.


Thanks,
Franco
Print
Go Up Pages1
User actions