[squid-users] ssl_bump newbie troubles

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 20 21:11:52 UTC 2016

On 04/20/2016 02:22 PM, Odhiambo Washington wrote:

> All I want is the ability to intercept SSL sites and control access to
> them using TIME ACLs. That's all.

I will assume that your definition of a "site" is "domain name".

> So in simple:
> 1. UserX tries to access facebook.com/youtube.com
> 2. I intercept transparently https traffic 
> 3. I tell squid "don't allow this user to access facebook.com
>  at this time, but let them access at some-other-time
> 4. If time is right, let userX access the site.

> So looks like all I need is a setup of passive monitoring, given my
> explanation above, right? 

The answer depends on what you want Squid to do when access is not
allowed. If you are OK with terminating the prohibited connection (no
error messages explaining company policy sent by Squid to your users!),
then yes:

  ssl_bump terminate restricted_sites
  ssl_bump peek all
  ssl_bump splice all

As typical for SslBump, Squid has bugs and missing features in some
corner cases touched by the above simple configuration, so some
babysitting and additional configuration is likely, but it should work
in principle. Known bugs can be fixed and missing features added.



More information about the squid-users mailing list