<div dir="ltr"><div><div><div><div>Yuri,<br><br></div>The proxy is being used as a content filter, i.e. domain and URL whitelisting and blacklisting.<br><br></div>I guess my real question is simply regarding how this traffic is processed in regards to where I've defined options in my squid.conf?<br><br></div>Also, why does it appear to "bump" all sites when my config says to "splice" all. <br><br></div>-Tom<br><div><div><div><div><div><div><div><br><br>Tom,<br>
<br>
one simple question.<br>
<br>
Soon, all or almost all the Internet go into HTTPS. Why do you then need<br>
caching proxy? The tunnel connection and process ACLs?<br>
<br>
My second question to Amos. Amos, what the hell do we under these<br>
conditions caching proxy?<br>
<br>
WBR, Yuri<br>
<br>
24.06.15 21:41, Tom Mowbray пишет:<br>
> Squid 3.5.5<br>
><br>
> I seem to have some confusion about how acl lists are processed in<br>
> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting<br>
to use<br>
> ssl_bump directives with transparent proxy.<br>
><br>
> Based on available documentation, I believe my squid.conf is correct,<br>
> however it never seems to actually behave as expected.<br>
><br>
> I define the SSL p<span tabindex="0" class=""><span class="">ort, as usual:</span></span><br>
><br>
> acl SSL_ports port 443<br>
><br>
> But here's where my confusion lies... Many state to place the following<br>
> line above the ssl_bump configuration lines:<br>
><br>
> http_access allow SSL_ports<br>
><br>
> However when I do this, it appears to simply stop processing any other<br>
> rules and allows ALL https traffic through the proxy (which is<br>
actually how<br>
> I'd expect a standard ACL list to operate, but then how do I actually<br>
> filter the traffic though our content-based ACL lists?). If I put the<br>
> above line below the ssl_bump configuration options in my squid.conf, then<br>
> it appears to BUMP all, even though I've told the config to SPLICE all<br>
> https traffic, which doesn't work for our deployment.<br>
><br>
> So, does squid actually continue to process the https traffic using the<br>
> ssl_bump rules if the "http_access allow SSL_ports" line is placed<br>
above it<br>
> in the configuration?<br>
><br>
> I should note that we've been able to get filtering to work correctly when<br>
> using our configuration in NON-transparent mode, however our goal is get<br>
> this functionality working as a transparent proxy. We're unable to load<br>
> our self-signed cert onto client machines that will be accessing the<br>
proxy,<br>
> so using the "bump" or man-in-the-middle style https filtering isn't a<br>
> viable option for us.<br>
><br>
> Any help or advice is appreciated!<br>
><br>
> Thanks,<br>
><br>
> Tom</div></div></div></div></div></div></div></div>