2025-09-14 21:52:36 +00:00
|
|
|
|
# 【E21现场】对www.tumblr.com拦截无效果,证书未替换
|
|
|
|
|
|
|
|
|
|
|
|
| ID | Creation Date | Assignee | Status |
|
|
|
|
|
|
|----|----------------|----------|--------|
|
|
|
|
|
|
| OMPUB-461 | 2022-04-21T21:53:38.000+0800 | 卢文朋 | 已关闭 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
业主配置了批量对多个网站进行intercept,仅tumblr.com的intercept策略无效果,现场我配置策略进行复测无拦截效果,但有策略命中日志
|
|
|
|
|
|
|
|
|
|
|
|
策略配置详情 及会话日志、策略命中日志 上传到附件
|
|
|
|
|
|
|
|
|
|
|
|
希望家里看一下配置是否有误,复测一下,是否家里也存在这种现象,**dongxiaoyan** commented on *2022-04-22T10:56:37.996+0800*:
|
|
|
|
|
|
|
|
|
|
|
|
信息港复测:
|
|
|
|
|
|
策略id:18525,filter为sni:*tumblr.com; Keyring和Decryption Profile使用默认配置:
|
|
|
|
|
|
产生日志,日志拦截状态为SSL.Intercept State:Intercept
|
|
|
|
|
|
未产生SSL.SNI为www.tumblr.com,拦截状态为空的日志:
|
|
|
|
|
|
!screenshot-1.png|thumbnail! !screenshot-2.png|thumbnail!
|
|
|
|
|
|
信息港有拦截排除: !image-2022-04-22-13-17-49-906.png|thumbnail!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
**luwenpeng** commented on *2022-04-22T12:51:47.202+0800*:
|
|
|
|
|
|
|
|
|
|
|
|
[~liuju]根据以下截图看:有测试流量命中了拦截策略,且产生了22条拦截日志。
|
|
|
|
|
|
|
|
|
|
|
|
!screenshot-4.png|thumbnail!
|
|
|
|
|
|
|
|
|
|
|
|
通过进一步分析 Security Events 日志,发现22条拦截日志中 SNI 都是 tumblr.com 的子网站,并没有 www.tumblr.com 的主网站。
|
|
|
|
|
|
|
|
|
|
|
|
!image-2022-04-22-14-44-40-378.png|thumbnail!
|
|
|
|
|
|
|
|
|
|
|
|
进一步排查 SSL Decryption Exclusions(解密流量排除的白名单),发现 $www.tumblr.com 位于 TSG 的解密流量排除的白名单中。
|
|
|
|
|
|
!image-2022-04-22-14-49-27-980.png|thumbnail!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
解密流量排除白名单的优先级高于拦截策略。
|
|
|
|
|
|
|
|
|
|
|
|
当拦截策略的 SNI 为 *tumblr.com 时:
|
|
|
|
|
|
|
|
|
|
|
|
访问 tumblr.com 子网站时 SNI 命中拦截策略的 *tumblr.com,故证书替换,
|
|
|
|
|
|
|
|
|
|
|
|
访问 www.tumblr.com 主网站时 SNI 命中解密流量排除白名单的 $www.tumblr.com,故证书不替换。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
补充:信息港环境测试 www.tumblr.com 这个网站从解密排除白名单了里删除后,代理可以拦截成功。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
**dongxiaoyan** commented on *2022-04-22T16:08:47.340+0800*:
|
|
|
|
|
|
|
|
|
|
|
|
信息港测试环境修改拦截排除:id为195,name为$www.tumblr.com的记录,测试可正常拦截,替换证书。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
**liuyang** commented on *2022-04-24T15:59:27.508+0800*:
|
|
|
|
|
|
|
|
|
|
|
|
原因:TSG支持对特定网站不解密(因为商务、隐私等原因),这些都放到了解密排除列表(SSL Decryption Exclusions
|
|
|
|
|
|
|
|
|
|
|
|
)中。www.tumblr.com就在解密排除列表中,所以没有对其进行替换。
|
|
|
|
|
|
|
|
|
|
|
|
解决:如果业主希望对这个网站进行拦截,可以将解密排除列表中$www.tumblr.com失效。(目前预置的暂时不能删除,只能修改。后续版本会支持预置内容也可以删除或者失效,这个不需要特意跟业主说,目前可以将其修改成个不存在的域名,比如$123456.tumblr.123456。)
|
|
|
|
|
|
|
|
|
|
|
|
!image-2022-04-24-15-56-53-064.png|width=522,height=234!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
**zhengchao** commented on *2022-04-25T11:07:02.413+0800*:
|
|
|
|
|
|
|
|
|
|
|
|
内置的解密排除列表应支持删除。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
# Attachments
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: image-2022-04-22-13-17-49-906.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: image-2022-04-22-14-44-40-378.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: image-2022-04-22-14-49-27-980.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: image-2022-04-24-15-56-53-064.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: screenshot-1.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: screenshot-2.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: screenshot-4.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: screenshot-5.png
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: securityEvents.xlsx
|
|
|
|
|
|
[securityEvents.xlsx](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/27376/securityEvents.xlsx)
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 22:26:17 +00:00
|
|
|
|
Attachment: 微信图片_20220421165628.png
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Attachment: 微信图片_20220421165646.png
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Attachment: 微信图片_20220421165701.png
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Attachment: 微信图片_20220421165752.png
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Attachment: 微信图片_20220421165758.png
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2025-09-14 21:52:36 +00:00
|
|
|
|
|
