[squid-users] HTTPS Filtering and SSL-Bump

Jonathan Chretien jonathan_chretien at hotmail.com
Fri Apr 24 12:06:46 UTC 2015


Thanks.

I will give it a try.
___________________________________
Jonathan



----------------------------------------
> Date: Thu, 23 Apr 2015 19:39:05 -0300
> From: marcus.kool at urlfilterdb.com
> To: jonathan_chretien at hotmail.com; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] HTTPS Filtering and SSL-Bump
>
>
>
> On 04/23/2015 05:52 PM, Jonathan Chretien wrote:
>> Hi all.
>>
>> I'm trying to implement the filtering of https content for a particular url. The only thing that I'm trying to do it's to unlock corporate video on the Youtube website. I do not want to unlock everything on Youtube but only our corporate stuff.
>>
>> The url looks like this: https://www.youtube.com/users/MyCompany.
>>
>> I'm using UFDBGuard as a url filter.
>>
>> The problem is that SSL-Bump is working well but the URL pass from Squid to UFDBGuard is the non SSL-Bump url. What I means is that the URL that UFDBGuard is receiving is https://www.youtube.com:443 instead of the https://www.youtube.com/users/MyCompany.
>>
>> So because UFDBGuard is not receiving the complete SSL-Bump URL, UFDBGuard see that it's Youtube.com, so it block the website. If UFDBGuard was receiving the real SSL-Bump url https://www.youtube.com/users/MyCompany, UFDBGuard will see that this url is whitelisted and should allow the access.
>
>
> This is not the full story.
> With SSLbump on Squid sends to ufdbGuard first
> CONNECT www.youtube.com:443
> and then
> GET https://www.youtube.com/users/MyCompany
>
> ufdbGuard has not yet support for this but you could whitelist
> www.youtube.com:443
> using a regular expression
> and whitelist https://www.youtube.com/users/MyCompany and a bunch of other URLs that used for the markup of the entire page
> and blacklist a bunch of other youtube URLs to get the desired behavior.
>
> Whitelisting a subset of a website is usually not so straightforward so one needs to pay much attention to the "bunch of URLs" used in the whitelist and blacklist.
> I suggest to not blacklist www.youtube.com but start with blacklisting a few important URLs of youtube such that the effective result is that non-company access to Youtube is blocked.
>
> Marcus
> maintainer of ufdbGuard.
>
> PS: after you have done all this, you also need to block all web proxies which can be used to circumvent the intended Youtube block.
>
>
>> Log in the UFDBGuard.log
>> 2015-04-23 16:19:59 [10669] BLOCK MyUser 192.168.100.27 Internet movies www.youtube.com:443 CONNECT
>>
>> Is there something missing in my Squid.conf to pass the correct URL?
>>
>> http_port 192.168.100.2:3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/ssl/mycert.com.private cert=/etc/squid/ssl/mycert.com.cert
>>
>> # SSL Bump Config
>> sslproxy_cert_error deny all
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
>>
>> acl sslBumpYoutube dstdomain www.youtube.com
>>
>> # SSL Bump Config
>> always_direct allow sslBumpYoutube
>> ssl_bump server-first sslBumpYoutube
>> ssl_bump none all
>>
>> Also all my users using the proxy are authenticated.
>>
>>
>> Thanks
>> ___________________________________
>> Jonathan
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
 		 	   		  


More information about the squid-users mailing list