[squid-users] ssl_bump newbie troubles

Alex Rousskov rousskov at measurement-factory.com
Wed Apr 20 22:46:04 UTC 2016

On 04/20/2016 04:18 PM, Odhiambo Washington wrote:
> On 21 April 2016 at 00:11, Alex Rousskov wrote:
>     On 04/20/2016 02:22 PM, Odhiambo Washington wrote:
>     > All I want is the ability to intercept SSL sites and control access to
>     > them using TIME ACLs. That's all.

You also want to serve custom errors over encrypted connections. That is
a huge addition to the above "all".

>     If you are OK with terminating the prohibited connection (no
>     error messages explaining company policy sent by Squid to your users!),
>     then yes:
>       ssl_bump terminate restricted_sites
>       ssl_bump peek all
>       ssl_bump splice all
> What I would like is:
> 1. that squid is able to 'see' that *userX* is trying to visit
> https://www.facebook.com
> 2. but at that particular time (time ACL) *userX* is not allowed to go
> to facebook.com <http://facebook.com>, so squid denies access, throws a
> default error on their browser

Serving a Squid-generated error over [what the browser believes is] a
secure connection to the _origin server_ requires bumping that
connection. Bumping (as opposed to splicing) implies installing company
root certificates and many other headaches.

In other words, your desire to immediately inform the user about the
denied access opens a Pandora box and adds a whole new order of
complexity (or two) to the project.

Instant gratification is very important these days, but there are
probably alternatives to serving error pages over bumped connections.
The simplest to implement might be something like sending a "you have
been blocked" email to the offending user (from the blocking ACL
script), but one can think of a lot fancier notification vectors than that.

> The time logic is already built in squid.conf. All that remains is just
> intercept https traffic and let the time acls decide whether or not a
> user can get there.

... and bump the supposedly secure connection to serve the error page if
the user cannot get there.

> So allow me to ask: in *ssl_bump terminate restricted_sites, * I am lost
> as to what restricted_sites represent.

It is an ACL that represents your "access control" logic. It is too
boring/standard to discuss while we are talking about SslBump. I am sure
you can define it (yourself or with help from this mailing list).

If you allow me an analogy, discussing that ACL is like discussing the
color of the paint on the atomic bomb. I am sure you will find a nice
color scheme eventually, but I am more concerned about your users
staying alive after you drop it on them.


More information about the squid-users mailing list