[squid-users] SSL-Bump to specific users
Rodrigo de Lima Silva
rodrigodlima at gmail.com
Fri Oct 30 16:36:30 UTC 2015
Thanks for your reply Alex,
I understood your considerations. Maybe, I really didn't understand very
well how the SslBump works, the differences between peek and splice and
steps SslBump1, 2 and 3.
I'm searching and studing about this last two days, and I need to undertand
better about this questions.
There's a way to join ssl_bump + a simple acl? Basicly, I would like to
permit access to some sites, like facebbok, linkedin, for example. during a
period of day time, for example:
acl after_work time MTWHFAS 18:00-21:00
ssl_bump terminate deny_https_sites !after_work
Thanks,
2015-10-29 20:35 GMT-02:00 Alex Rousskov <rousskov at measurement-factory.com>:
> On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote:
>
> > I've been configured Squid version 3.5.9 and transparent proxy. To do
> > this. I used the "peek and splice" feature to works with https protocol
> > in transparent mode. It's works fine.
> >
> > There is a "acl" to block some sites, like facebook.com
> > <http://facebook.com>, linkedin.com <http://linkedin.com>, etc... It's
> > works fine too.
> >
> > acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt"
> > ssl_bump terminate deny_https_sites
> > ssl_bump peek all
> > ssl_bump splice all
>
>
> The above is kind of wrong because it may terminate before learning
> enough about the connection. You should terminate after peeking:
>
> acl ...
>
> ssl_bump peek all
> ssl_bump terminate deny_https_sites
> ssl_bump splice all
>
> Peeking feeds your deny_https_sites ACL with information. Without
> peeking, that ACL may only have IP addresses to work with (especially in
> an interception environment).
>
>
> > But, now, I need to do an rule to permit access for specific users, or
> > ip address. But, I don't know if it's possible with ssl_bump. I tried
> > somethink like:
> >
> > ssl_bump terminate deny_https_sites !permited_ips
> >
> > or
> >
> > ssl_bump peek deny_https_sites permited_ips
> >
> >
> > There is one way to do this?
>
>
> The first variant is theoretically correct, but I recommend avoiding
> negation in ACLs: An ACL result is not a boolean "match" or "mismatch".
> It is actually closer to "match", "mismatch", "do not know", or "error".
> Negating four values correctly is difficult, and Squid itself has had
> many bugs in that area.
>
>
> If you can truly identify "specific users" by IP, then do that first (no
> need to peek):
>
> ssl_bump splice permited_ips
> ssl_bump peek all
> ssl_bump terminate deny_https_sites
> ssl_bump splice all
>
>
> If your actual "specific user" ACL needs host name information, then let
> Squid peek first:
>
> ssl_bump peek all
> ssl_bump splice specific_users
> ssl_bump terminate deny_https_sites
> ssl_bump splice all
>
>
> Your questions indicate that you may not understand how Squid evaluates
> ACL rules. Proceed with caution and try reading a guide book or a good
> tutorial. The basic single-rule evaluation algorithm is not specific to
> SslBump (although multiple ssl_bump directives add more complexity).
>
>
> Good luck,
>
> Alex.
>
>
--
Rodrigo Lima - rodrigodlima[at]gmail[dot]com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151030/92855233/attachment-0001.html>
More information about the squid-users
mailing list