[squid-users] this config is ok? is ok the order?
Alex Rousskov
rousskov at measurement-factory.com
Thu Jun 1 17:16:51 UTC 2017
On 06/01/2017 09:17 AM, Amos Jeffries wrote:
> On 02/06/17 01:10, erdosain9 wrote:
>> "If I assume that its doing what you want there are still two major
>> issues that can be seen."................. i think it was...
>>
>> "1) Mixing interception and authentication (ssl-bump is a type of
>> interception, at least on the https:// traffic). Intercepted messages
>> cannot be authenticated - though there are some workarounds in place for
>> ssl-bump to authenticate the CONNECT tunnel and label all the bumped
>> traffic with that username."
Bumped messages cannot be proxy-authenticated but the CONNECT tunnels
that carry bumped messages can be, and such proxy authentication does
not violate any rules or principles. It is perfectly fine to use.
Furthermore, logging the authenticated tunnel user when logging
transactions inside that tunnel is the right thing to do IMO.
>> how it's that?, maybe i wrong (probably) but, for example a connection to
>> youtube, it is ssl, and i see (in access.log, who do that (its
>> authenticate).
>
> That is the hack workaround doing its thing. Squid is authenticating the
> CONNECT message, then simply reporting that authenticated username for
> all the bumped https:// log entries.
FWIW, I do not think this is a hack. It is exactly what Squid should be
doing in this context. There may be bugs in the implementation of that
functionality, of course, but the functionality itself is a legitimate
feature, not a workaround.
Alex.
More information about the squid-users
mailing list