[squid-users] ssl bumping question

[Amos Jeffries]

On 5/01/2016 10:32 a.m., George Hollingshead wrote:
> Sorry i'm a newb with dumb questions first of all :)
> 
> I'm only interested in using bump so i can see https visited so i can block
> as needed.

Okay. A little more detail is needed to clarify what exactly you needed
access to.

TLS often provides SNI values that equate roughly to the domain name
being visited. No decrypt is needed to make use of that, peek then
splice actions can work fine inspecting teh traffic without any decrypt
related problems.

Bump (decrypt) is only needed if specific HTTP message values (method,
version, headers and URL path) are needed by the ACLs.


> 
> I am using latest 3.5.12 and was told i can use ssl bumping and have a wiki
> link to show me how.
> 
> only problem on the wiki is that it says i have to install certificates on
> each client machine which is a problem. This proxy will mostly be used for
> smart phones on the wifi network.

That is for bumping to work without showing the user/client any TLS/SSL
warnings. If you only need splicing those warnings are rare (but can
still happen when splice is not possible) - it is your choice whether to
use the client CA install and avoid them entirely, or cope with the
warnings.

> 
> Is there a method i can use to see https sites visited without having to
> install trust certificates on every device?

"sites" (as in domains) yes. URLs no.

> 
> if there is, i would be eternaly greatful and a basic config example of
> what i need in squid.conf.
> 

The section titled "Peek and SNI and bump" on
<http://wiki.squid-cache.org/Features/SslPeekAndSplice> but without the
"ssl_bump bump" line sounds like what you need for the ssl_bump rules.
The http(s)_port rules remain the same.

Amos