[squid-users] Squid 3.5.5 ssl_bump and ufdbGuard
Stanford Prescott
stan.prescott at gmail.com
Mon Jul 20 21:36:27 UTC 2015
This probably more rightly belongs in the ufdbGuard mailing list, but SF
has been down for several days and I cannot post there. There is a bit of
overlap with ssl_bump and ufdGuard with one of the issues I am having.
Maybe someone here who uses ufdbGuard or squidGuard could help me?
I am trying to replace our implementation of the old squidGuard with
ufdbGuard on Smoothwall Express v3.1 firewall distro. I have gotten
ufdbGuard running and filtering with Squid 3.5.5 using ssl_bump.My
questions:
1. With ssl_bump and squidGuard I was able to use the urlfilter to block
https sites like facebook.com. Allowed https sites would load in my browser
without errors with ssl_bump and squidGuard active. With ssl_bump and
ufdbGuard it is a lot more complicated, it seems.
-Squid+ssl_bump and ufdbGuard running I can access all HTTP sites without
errors. I cannot access any HTTPS sites at all. I get "Untrusted
connection" errors when trying to load any HTTPS site.
-If I restart squid without ssl_bump and ufdbGuard still running, I can
then access all HTTP and HTTPS sites and categories that I have blocked do
get blocked, but only HTTP.sites. All HTTPS sites will load, but none get
blocked that are supposed to be.
-If I then restart squid+ssl_bump (and ufdbGuard still running) I can now
access all HTTP and HTTPS sites. Also, all HTTP and HTTPS sites that are
supposed to be blocked by category, like porn for instance, do get blocked
like they are supposed to be. Except for domains in the alwaysdeny category
(but that will be a question for another time).
-When ufdbGuard and squid+ssl_bump are started (in that order) I see
processes running for squid, ssl_crtd, and ufdbguardd. I do not see any
processes for squid_redirect and ufdbgclient. If I enter and load a website
and then check the processes running I then see squid_redirect and
ufdbgclient. Is that supposed to happen like that?
2. I am using the Shalla blacklists for testing. I haven't been able to
sign up for a URLfilterDB free trial because I only use yahoo.com and
gmail.com for my email. Plus, I don't want to pay for a subscription until
I know I have this working. When I convert the Shalla blacklists to ufdb
format using ufdbConvertDB, only the domains are converted to the ufdb
format (domains.ufdb). The urls files are not converted, even when using
the "-u urls" switch.
My current ufdbGuard.conf file is attached..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150720/5e5aceec/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ufdbGuard.conf
Type: application/octet-stream
Size: 21525 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150720/5e5aceec/attachment-0001.obj>
More information about the squid-users
mailing list