[squid-users] SSL-Bump to specific users

Fri Oct 30 21:08:01 UTC 2015

On 31/10/2015 7:36 a.m., Rodrigo de Lima Silva wrote:
>>
>>>
>>> There's a way to join ssl_bump + a simple acl? Basicly, I would like to
>>> permit access to some sites, like facebbok, linkedin, for example.
>> during a
>>> period of day time, for example:
>>>
>>> acl after_work time MTWHFAS 18:00-21:00
>>> ssl_bump terminate deny_https_sites !after_work
>>>
>>
>> Once you understand what the "Common Mistakes" section of the ACL wiki
>> page is talking about you will know the answer to your question. It
>> describes the problem Alex was talking about, but in slightly simpler
>> terms.
>>
>> Hint: you say you want to permit things. But you are writing rules with
>> "deny" / "terminate" as the action for Squid to do. Seems a bit
>> backwards, yes?
>>
>>
> Hi Amos,
> Sorry, but I wrote very fast the last email and could not describe
> very well what
> I'm trying to do and it got confused.
> 
> 
>> PS. Apologies if we seems to be obstructing. But you really do need to
>> properly know how Squid ACLs work if you are going to be configuring
>> Squid. They are used for controlling almost everything, as you will see
>> in those wiki pages.
>>
>>
> It's all rigth ;-)
> Basically, the idea is to block access certain websites during office hours
> and after this time allow access.
> To do this with simple acl is easy,
> 

Your still doing the policy description != policy rules thing.

Whereas your last emails rules match the above description.
Below is a policy that matches your last emails description.

> acl after_work time MTWHFAS 17:00-21:00
> http_access allow deny_sites after_work
> http_access deny deny_sites
> 
> But, on transparent mode, I'm getting confused to do this with sslbump and
> https sites.

Stop thinking of HTTPS as a single thing. It is not.

It is a TLS protocol layer, with an HTTP protocol layer inside it. The
TLS layer has its own messages completely different and separate from
the HTTP ones.

http_access rules tell Squid what to do with HTTP layer messages. Either
the ones Squid is receiving straight on top of TCP (aka plain text
HTTP), or ones it decrypted from inside the TLS layer (aka HTTPS).

ssl_bump tells Squid how to treat each of the TLS layer operations that
occur before the first encrypted HTTPS message. We call them stage 1, 2
and 3.

Your configuration so far is using splice to mean allow and terminate to
mean deny. But the peek and splice feature is not http_access, it is a
bit more complicated than allow/deny.

There is _type_ of metadata the ACLs are accessing (CONNECT wrapper
[step1], client handshake data [step2], server certificate [step3])
affecting what the ACLs will match against. Then what was done at the
previous step(s) affect what actions are possible now.

Amos