[squid-users] ssl bump

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 28 04:12:07 UTC 2019 

On 28/02/19 2:31 am, leomessi983 wrote:
> Hi all
> Can i use this conf only for blocking purpose?!

You could.

I suggest you keep the default security Safe_ports and SSL_ports ACL and
http_access rules though. They exist to protect your proxy against
malicious attacks and Dos situations.

Your custom settings should go below these defaults at the place where
default squid.conf says "INSERT YOUR RULES HERE".


> Is set dynamic_cert_mem_cache_size=0MB wrong?

Probably fine. You have disabled certificate generating. So there is
nothing to go in that cache. So no need for it to exist.


> I have more than 1000 clients and i only want to block http and https
> pages.

There is no such thing as 'page' in HTTP or HTTPS. What we humans call a
page is a collection of many objects from HTTP viewpoint. You can block
some or all of these objects individually to prevent the display
happening, but it is difficult block abstract things like "pages".

Your config implies things very different to what you stated above.

 * it has no way to receive HTTP traffic happening on port 80 or 3128.
Implying you do not care about http:// stuff.

 * is splices some TLS traffic. Indicating that you do *not* want to
block some https:// traffic.




> 
> My configurations is like this:
> -----------------------------------------
> https_port 3130 tproxy ssl-bump \
>         cert=/etc/squid/ssl_cert/myCA.pem \
>         generate-host-certificates=off dynamic_cert_mem_cache_size=0MB
> sslcrtd_program /usr/lib64/squid/security_file_certgen
> 
> 
> acl blk ssl::server_name "/var/blk.list"
> ssl_bump bump blk
> http_access deny blk

The value checked by 'blk' ACL can change when the bump action is
performed. That means these ssl_bump and http_access may produce
different match results.

Since you are only intercepting traffic I suggest your http_access rule
be this instead:

  acl HTTPS proto HTTPS
  http_access deny HTTPS
  http_access allow CONNECT localnet


> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
> -------------------------------------

Cheers
Amos

More information about the squid-users mailing list