<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
Never mind, Tom. I have own cockroaches in my head. Just only for
content filtering, I would not put a caching proxy. Once that's it.<br>
<br>
24.06.15 22:22, Tom Mowbray пишет:<br>
<span style="white-space: pre;">> Yuri,<br>
><br>
> The proxy is being used as a content filter, i.e. domain and
URL<br>
> whitelisting and blacklisting.<br>
><br>
> I guess my real question is simply regarding how this traffic
is processed<br>
> in regards to where I've defined options in my squid.conf?<br>
><br>
> Also, why does it appear to "bump" all sites when my config
says to<br>
> "splice" all.<br>
><br>
> -Tom<br>
><br>
><br>
> Tom,<br>
><br>
> one simple question.<br>
><br>
> Soon, all or almost all the Internet go into HTTPS. Why do
you then need<br>
> caching proxy? The tunnel connection and process ACLs?<br>
><br>
> My second question to Amos. Amos, what the hell do we under
these<br>
> conditions caching proxy?<br>
><br>
> WBR, Yuri<br>
><br>
> 24.06.15 21:41, Tom Mowbray пишет:<br>
>> Squid 3.5.5<br>
>><br>
>> I seem to have some confusion about how acl lists are
processed in<br>
>> squid.conf regarding the handling of SSL (HTTPS) traffic,
attempting<br>
> to use<br>
>> ssl_bump directives with transparent proxy.<br>
>><br>
>> Based on available documentation, I believe my squid.conf
is correct,<br>
>> however it never seems to actually behave as expected.<br>
>><br>
>> I define the SSL port, as usual:<br>
>><br>
>> acl SSL_ports port 443<br>
>><br>
>> But here's where my confusion lies... Many state to place
the following<br>
>> line above the ssl_bump configuration lines:<br>
>><br>
>> http_access allow SSL_ports<br>
>><br>
>> However when I do this, it appears to simply stop
processing any other<br>
>> rules and allows ALL https traffic through the proxy
(which is<br>
> actually how<br>
>> I'd expect a standard ACL list to operate, but then how
do I actually<br>
>> filter the traffic though our content-based ACL lists?).
If I put the<br>
>> above line below the ssl_bump configuration options in my
squid.conf, then<br>
>> it appears to BUMP all, even though I've told the config
to SPLICE all<br>
>> https traffic, which doesn't work for our deployment.<br>
>><br>
>> So, does squid actually continue to process the https
traffic using the<br>
>> ssl_bump rules if the "http_access allow SSL_ports" line
is placed<br>
> above it<br>
>> in the configuration?<br>
>><br>
>> I should note that we've been able to get filtering to
work correctly when<br>
>> using our configuration in NON-transparent mode, however
our goal is get<br>
>> this functionality working as a transparent proxy. We're
unable to load<br>
>> our self-signed cert onto client machines that will be
accessing the<br>
> proxy,<br>
>> so using the "bump" or man-in-the-middle style https
filtering isn't a<br>
>> viable option for us.<br>
>><br>
>> Any help or advice is appreciated!<br>
>><br>
>> Thanks,<br>
>><br>
>> Tom<br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJVitn5AAoJENNXIZxhPexGseIH/0Mex6B035vuH5/c/Ui5+az5
<br>
glsYSK8AzGGyQNkAvlKQ0xNe+0DrpC96tToafdPee1yyD3mp8U4ftFgb6xOHnfNt
<br>
DlFo7oWMJt7xhXyN9oJgwzEDLvfvwQ/YcoPWLmAw0vPcJ9WgIPMLY2Mvpsy/vHnb
<br>
dEfBvshk5PvbRwFD/WIbm4dU3x0eIPyHp/M5JG0yi0jVTOmUfbFhqXttGQTnOwl4
<br>
d+b8uubNmcOGH5Di2j7wTfT9LFV4o8ijy5oM1WvVRuHNXe/YIY96Gt1v3Hm10Qeu
<br>
49PPFTbDiYsJ/39HQ6MfDyhGy3tlWNVY1E5CIV8teVi6P+3ew2nUJw1pQGiawqk=
<br>
=SwDm
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>