[squid-users] Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 25 07:02:23 UTC 2017


On 20/02/2017 8:33 p.m., Test1964 wrote:
> Hi,
> 
> When I exclude some sites (like banks)  with ssl_bump peek/splice that
> works well, Got a new problem that
> sites (that I exclude)  can not be blocked using Url_Rewrite.
> I use Url_rewrite to block sites based on User IP and all all other
> sites(no in exclude list) it working very well.
> 
> How to fix it? Or this another way to block excluded sites in ssl_bump
> based on User IP?
> 

Block things using an access control mechanism. That is what access
controls (ACLs, http_access, deny_info) are for.

If your blocking conditions are so complex or dynamic that Squid ACLs
are not able to cope; then use an external_acl_type helper to give the
allow/deny result and also consider if you can simplify the access policies.


Do not use a URL routing mechanism to do 'access control' operation.
Changing the destination of a message can *only* work if the relevant
security is equivalent for both paths the message can take.

re-write has the _appearance_ of working in HTTP because plain-text is
built on complete trust of the proxy. HTTPS is not, it contains
mechanisms to verify the honesty which is preventing your abuse of HTTP.


NP: If you were doing a proper HTTP *redirect* (with appropriate 30x
status codes) it would work, but still wrong to do access control that way.

Amos



More information about the squid-users mailing list