[squid-users] SSL-Bump to specific users

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 29 22:35:35 UTC 2015 

On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote:

> I've been configured Squid version 3.5.9 and transparent proxy. To do
> this. I used the "peek and splice" feature to works with https protocol
> in transparent mode. It's works fine.
> 
> There is a "acl" to block some sites, like facebook.com
> <http://facebook.com>, linkedin.com <http://linkedin.com>, etc... It's
> works fine too.
> 
> acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt"
> ssl_bump terminate deny_https_sites
> ssl_bump peek all
> ssl_bump splice all


The above is kind of wrong because it may terminate before learning
enough about the connection. You should terminate after peeking:

  acl ...

  ssl_bump peek all
  ssl_bump terminate deny_https_sites
  ssl_bump splice all

Peeking feeds your deny_https_sites ACL with information. Without
peeking, that ACL may only have IP addresses to work with (especially in
an interception environment).


> But, now, I need to do an rule to permit access for specific users, or
> ip address. But, I don't know if it's possible with ssl_bump. I tried
> somethink like:
> 
> ssl_bump terminate deny_https_sites !permited_ips
> 
> or
> 
> ssl_bump peek deny_https_sites permited_ips
> 
> 
> There is one way to do this?


The first variant is theoretically correct, but I recommend avoiding
negation in ACLs: An ACL result is not a boolean "match" or "mismatch".
It is actually closer to "match", "mismatch", "do not know", or "error".
Negating four values correctly is difficult, and Squid itself has had
many bugs in that area.


If you can truly identify "specific users" by IP, then do that first (no
need to peek):

  ssl_bump splice permited_ips
  ssl_bump peek all
  ssl_bump terminate deny_https_sites
  ssl_bump splice all


If your actual "specific user" ACL needs host name information, then let
Squid peek first:

  ssl_bump peek all
  ssl_bump splice specific_users
  ssl_bump terminate deny_https_sites
  ssl_bump splice all


Your questions indicate that you may not understand how Squid evaluates
ACL rules. Proceed with caution and try reading a guide book or a good
tutorial. The basic single-rule evaluation algorithm is not specific to
SslBump (although multiple ssl_bump directives add more complexity).


Good luck,

Alex.

More information about the squid-users mailing list