I am testing Squid proxy capabilities. I configured ssl_bump in the latest version 6.6 and now i can see my access.log is having https and http both request's logs, but at same time. Apps like LinkedIn, Slack are not working (I guess because of SSL Pinning).
If I do ssl_bump splice these list of domains, then these app works. But i am working on making a DLP service, so i need to have more coverage over requests of these domains, thats why i'm doing ssl_bump.
I want something like if it can decrypt traffic (Eg: when traffic is from browser) then it should decrypt, and when it can't decrypt (Eg: from applications) then it shouldn't decrypt. I can't do splice of all these domains, because i won't be able to intercept browser traffic also. Any suggestions please here? How to solve it.
I'm attaching my current squid.conf
## List of broken sites to not ssl_bump, but this will also ignore requests from browser :(
acl broken_sites ssl::server_name "/etc/squid/broken_sites.txt"
ssl_bump splice broken_sites
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_port 3128 \
tcpkeepalive=60,30,3 ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=20MB cert=/etc/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/spool/squid/ssl_db -M 20MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
I already tried
acl broken_sites ssl::server_name "/etc/squid/broken_sites.txt"
ssl_bump splice broken_sites
and i was expecting it to ignore traffic for listed domains in broken_sites.txt, if it's having CONNECT request (from applications) but this is also ignoring traffic from browsers. So, i can use it.