[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

Tom Mowbray tmowbray at dalabs.com
Wed Jun 24 17:46:27 UTC 2015


James,

Yes, as a matter of fact I have read through those exact posts and modeled
my config very similarly.  What I have found is that, however, when the
line "http_access allow SSL_ports" is placed above the ssl_bump stuff and
other acl's (as you have it), it seems to simply allow ALL https without
doing any filtering whatsoever.


Thanks for the response.


---------------------------------
Tom Mowbray
*tmowbray at dalabs.com* <tmowbray at dalabs.com>
*703-829-6694*

On Wed, Jun 24, 2015 at 1:31 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> On 2015-06-24 09:41 AM, Tom Mowbray wrote:
>
>> Squid 3.5.5
>>
>> I seem to have some confusion about how acl lists are processed in
>> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting
>> to use ssl_bump directives with transparent proxy.
>>
>> Based on available documentation, I believe my squid.conf is correct,
>> however it never seems to actually behave as expected.
>>
>> I define the SSL port, as usual:
>>
>> acl SSL_ports port 443
>>
>> But here's where my confusion lies... Many state to place the
>> following line above the ssl_bump configuration lines:
>>
>> http_access allow SSL_ports
>>
>> However when I do this, it appears to simply stop processing any other
>> rules and allows ALL https traffic through the proxy (which is
>> actually how I'd expect a standard ACL list to operate, but then how
>> do I actually filter the traffic though our content-based ACL lists?).
>>  If I put the above line below the ssl_bump configuration options in
>> my squid.conf, then it appears to BUMP all, even though I've told the
>> config to SPLICE all https traffic, which doesn't work for our
>> deployment.
>>
>> So, does squid actually continue to process the https traffic using
>> the ssl_bump rules if the "http_access allow SSL_ports" line is placed
>> above it in the configuration?
>>
>> I should note that we've been able to get filtering to work correctly
>> when using our configuration in NON-transparent mode, however our goal
>> is get this functionality working as a transparent proxy.  We're
>> unable to load our self-signed cert onto client machines that will be
>> accessing the proxy, so using the "bump" or man-in-the-middle style
>> https filtering isn't a viable option for us.
>>
>> Any help or advice is appreciated!
>>
>> Thanks,
>>
>> Tom
>>
>
> Tom,
>
> You kinda have to change the way you think about filtering when it comes
> to Squid 3.5.5 and SSL(TLS).  Normal http traffic is easy....here's where
> we're trying to go and here's a list of place we're alloed to go...simple.
>
> Not so with SSL(TLS).  Squid can't filter, since Squid may or may not know
> where we're going...and that's the issue..it's where those ssl_bump atStep
> ACL's come in.  Some sites when you connect to them are easy-ish..when you
> connect your device sends a "Server Name Information" (SNI) that says where
> you're going.  Other sites don't have any information until you complete
> the SSL handshake (how can you filter a site name, until squid KNOWS the
> site or at least domain name?).
>
> If you're still wanting to go through with transparent (intercept) proxy
> with SSL, search through the list for my SSL Deep dive posts...that config
> is working for me so far (granted, not in an enterprise environment).
> However, as Amos said,....if you choose not to install the cert on the
> client machines, you are either a) going to be out of luck on LOT'S of
> websites because they will fail the SSL handshake, or b) teaching your
> users to ignore the security warnings of their browser's....neither of
> which is a good thing.
>
> Hope that helps.
>
> James
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150624/d8699605/attachment.html>


More information about the squid-users mailing list