[squid-users] ssl_bump newbie troubles

Odhiambo Washington odhiambo at gmail.com
Wed Apr 20 22:18:00 UTC 2016

On 21 April 2016 at 00:11, Alex Rousskov <rousskov at measurement-factory.com>

> On 04/20/2016 02:22 PM, Odhiambo Washington wrote:
> > All I want is the ability to intercept SSL sites and control access to
> > them using TIME ACLs. That's all.
> I will assume that your definition of a "site" is "domain name".


> > So in simple:
> > 1. UserX tries to access facebook.com/youtube.com
> > 2. I intercept transparently https traffic
> > 3. I tell squid "don't allow this user to access facebook.com
> >  at this time, but let them access at some-other-time
> > 4. If time is right, let userX access the site.
> > So looks like all I need is a setup of passive monitoring, given my
> > explanation above, right?
> The answer depends on what you want Squid to do when access is not
> allowed. If you are OK with terminating the prohibited connection (no
> error messages explaining company policy sent by Squid to your users!),
> then yes:
>   ssl_bump terminate restricted_sites
>   ssl_bump peek all
>   ssl_bump splice all

What I would like is:

1. that squid is able to 'see' that *userX* is trying to visit
2. but at that particular time (time ACL) *userX* is not allowed to go to
facebook.com, so squid denies access, throws a default error on their
3. However, *userY* has unrestricted access to anywhere at all times so
squid allows the user to proceed.
The time logic is already built in squid.conf. All that remains is just
intercept https traffic and let the time acls decide whether or not a user
can get there..

So allow me to ask: in *ssl_bump terminate restricted_sites, * I am lost as
to what restricted_sites represent.

If my squid.conf matters, I have it here: http://goo.gl/vA6nrB. All I want
is to restrict/control (using time) access to TIMEWASTAGESITES :-)
I do not need to bump at all.

(My English could be my undoing here :-))

Thanks for your patience in baby-sitting me.

Best regards,
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160421/68fd129a/attachment.html>

More information about the squid-users mailing list