[squid-users] sslBump somehow interferes with authentication
Eugene M. Zheganin
emz at norma.perm.ru
Wed Nov 11 18:12:38 UTC 2015
I have configured simple ssl peek/splice on squid 3.5.10 for some simple
cases, but in my production, where configs are complicated, it doesn't
work as expected - somehow it interferes with authentication.
Suppose we have a config like:
acl freetime time MTWHF 18:00-24:00
acl foo dst 192.168.0.0/16
acl bar dstdomain .bar.tld
acl users proxy_auth steve
acl users proxy_auth mike
acl users proxy_auth bob
acl unauthorized proxy_auth stringthatwillnevermatch
acl block dstdomain "block.acl"
acl blockssl ssl::server_name "block.acl"
http_access allow foo
http_access allow bar
http_access deny unauthorized
http_access allow blockssl users freetime
http_access allow block users freetime
http_access deny blockssl users
http_access deny block users
http_access allow users
http_access deny all
This is a part of an actually working config (with some local names
modification, just to read it easily). This config is straightforward:
- foo and bar are allowed without authentication
- then an explicit authentication occurs ('http_access deny
unauthorized' looks redundant, and yes, the config will be work without
it, but the thing is that this ACL 'unauthorized' is used to display a
specific deny_info page for the users who failed to authorize).
- it allows to browse some usually blocked sites at some amounts of time
- this config is sslBump-ready, a 'blockssl' ACL exists, which matches
site names on SNI.
Now I'm adding sslBump:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump blockssl
ssl_bump splice all
As soon as I add sslBump, everything that is bumped, starts to be
blocking by 'http_access deny unauthorized' (everything that's spliced
works as intended). And I completely cannot understand why. Yes, I can
remove this line, but this way I'm loosing deny_info for specific cases
when someone fails to authorize, and plus - without sslBump it was
working, right ? Please help me understand this and solve the issue.
More information about the squid-users