[squid-users] SSL-Bump to specific users

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 30 17:48:33 UTC 2015


On 10/30/2015 10:36 AM, Rodrigo de Lima Silva wrote:

> There's a way to join ssl_bump + a simple acl? Basicly, I would like to
> permit access to some sites, like facebbok, linkedin, for example.
> during a period of day time, for example:
> 
> acl after_work time MTWHFAS 18:00-21:00
> ssl_bump terminate deny_https_sites !after_work

You can use any ACL (or any combination of ACLs) with ssl_bump rules if
the ACLs you are using have enough information to work correctly during
ssl_bump steps. For example, the "time" ACL always has enough information.

SslBump steps only have access to information in an HTTP CONNECT request
(or equivalent). What information is available in that CONNECT request
depends on Squid version, Squid configuration, current transaction, and
current SslBump step. I do not think there is detailed documentation
about available information. Somebody should write it.

Alex.


> 2015-10-29 20:35 GMT-02:00 Alex Rousskov:
> 
>     On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote:
> 
>     > I've been configured Squid version 3.5.9 and transparent proxy. To do
>     > this. I used the "peek and splice" feature to works with https protocol
>     > in transparent mode. It's works fine.
>     >
>     > There is a "acl" to block some sites, like facebook.com <http://facebook.com>
>     > <http://facebook.com>, linkedin.com <http://linkedin.com>
>     <http://linkedin.com>, etc... It's
>     > works fine too.
>     >
>     > acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt"
>     > ssl_bump terminate deny_https_sites
>     > ssl_bump peek all
>     > ssl_bump splice all
> 
> 
>     The above is kind of wrong because it may terminate before learning
>     enough about the connection. You should terminate after peeking:
> 
>       acl ...
> 
>       ssl_bump peek all
>       ssl_bump terminate deny_https_sites
>       ssl_bump splice all
> 
>     Peeking feeds your deny_https_sites ACL with information. Without
>     peeking, that ACL may only have IP addresses to work with (especially in
>     an interception environment).
> 
> 
>     > But, now, I need to do an rule to permit access for specific users, or
>     > ip address. But, I don't know if it's possible with ssl_bump. I tried
>     > somethink like:
>     >
>     > ssl_bump terminate deny_https_sites !permited_ips
>     >
>     > or
>     >
>     > ssl_bump peek deny_https_sites permited_ips
>     >
>     >
>     > There is one way to do this?
> 
> 
>     The first variant is theoretically correct, but I recommend avoiding
>     negation in ACLs: An ACL result is not a boolean "match" or "mismatch".
>     It is actually closer to "match", "mismatch", "do not know", or "error".
>     Negating four values correctly is difficult, and Squid itself has had
>     many bugs in that area.
> 
> 
>     If you can truly identify "specific users" by IP, then do that first (no
>     need to peek):
> 
>       ssl_bump splice permited_ips
>       ssl_bump peek all
>       ssl_bump terminate deny_https_sites
>       ssl_bump splice all
> 
> 
>     If your actual "specific user" ACL needs host name information, then let
>     Squid peek first:
> 
>       ssl_bump peek all
>       ssl_bump splice specific_users
>       ssl_bump terminate deny_https_sites
>       ssl_bump splice all
> 
> 
>     Your questions indicate that you may not understand how Squid evaluates
>     ACL rules. Proceed with caution and try reading a guide book or a good
>     tutorial. The basic single-rule evaluation algorithm is not specific to
>     SslBump (although multiple ssl_bump directives add more complexity).
> 
> 
>     Good luck,
> 
>     Alex.
> 
> 
> 
> 
> -- 
> Rodrigo Lima  - rodrigodlima[at]gmail[dot]com



More information about the squid-users mailing list