Proxy Squid - Splice All

[querli]

Hallo all...

In Squid 3.5 it is possible to handle a TLS connection with splice all. In this case squid opens a TCP tunnel without decoding the connection. In squidguard (I know opnsense don't use squidguard) it is possible to block these connection with a blacklist (for example shallalist) like every html connection. If I tick Log SNI information only i can see in /usr/local/etc/squid/squid.conf that this is not the splice all action. Is there a way to block https connection without decoding the connection?

Thx.

[franco]

Hi querly,

The option should set splice all:

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L70

It needs SSL bump and SNI options, also a valid certificate.

I am unaware of a problem in this area, so maybe the configuration simple needs a tweak to get it to work.


Cheers,
Franco

[querli]

Thx franco for the fast answer.

The problem is, that I often receive cert errors from different sides (hsts). Yes I can put an entry in the SSL no bump sites ... but I don't want to know the content of the connection I only want to block entries form the blacklist even for https...


I' going to try this. If this works maybe it is possible to add this feature in the gui.

[franco]

Ah, it may be a little different from what you expect, I am no expert here so that eludes me. A snippet for squid.conf that works would help to find out what your expectation is and how to get it into the GUI as an easy option.


Thanks,
Franco