<div dir="ltr"><div><div>James,<br><br></div>Yes, as a matter of fact I have read through those exact posts and modeled my config very similarly. What I have found is that, however, when the line "http_access allow SSL_ports" is placed above the ssl_bump stuff and other acl's (as you have it), it seems to simply allow ALL https without doing any filtering whatsoever.<br><br><br></div>Thanks for the response.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div><br></div><div>---------------------------------</div>Tom Mowbray<div><a href="mailto:tmowbray@dalabs.com" target="_blank"><i>tmowbray@dalabs.com</i></a></div><div><i>703-829-6694</i></div></div></div>
<br><div class="gmail_quote">On Wed, Jun 24, 2015 at 1:31 PM, James Lay <span dir="ltr"><<a href="mailto:jlay@slave-tothe-box.net" target="_blank">jlay@slave-tothe-box.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 2015-06-24 09:41 AM, Tom Mowbray wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Squid 3.5.5<br>
<br>
I seem to have some confusion about how acl lists are processed in<br>
squid.conf regarding the handling of SSL (HTTPS) traffic, attempting<br>
to use ssl_bump directives with transparent proxy.<br>
<br>
Based on available documentation, I believe my squid.conf is correct,<br>
however it never seems to actually behave as expected.<br>
<br>
I define the SSL port, as usual:<br>
<br>
acl SSL_ports port 443<br>
<br>
But here's where my confusion lies... Many state to place the<br>
following line above the ssl_bump configuration lines:<br>
<br>
http_access allow SSL_ports<br>
<br>
However when I do this, it appears to simply stop processing any other<br>
rules and allows ALL https traffic through the proxy (which is<br>
actually how I'd expect a standard ACL list to operate, but then how<br>
do I actually filter the traffic though our content-based ACL lists?).<br>
If I put the above line below the ssl_bump configuration options in<br>
my squid.conf, then it appears to BUMP all, even though I've told the<br>
config to SPLICE all https traffic, which doesn't work for our<br>
deployment.<br>
<br>
So, does squid actually continue to process the https traffic using<br>
the ssl_bump rules if the "http_access allow SSL_ports" line is placed<br>
above it in the configuration?<br>
<br>
I should note that we've been able to get filtering to work correctly<br>
when using our configuration in NON-transparent mode, however our goal<br>
is get this functionality working as a transparent proxy. We're<br>
unable to load our self-signed cert onto client machines that will be<br>
accessing the proxy, so using the "bump" or man-in-the-middle style<br>
https filtering isn't a viable option for us.<br>
<br>
Any help or advice is appreciated!<br>
<br>
Thanks,<br>
<br>
Tom<br>
</blockquote>
<br></div></div>
Tom,<br>
<br>
You kinda have to change the way you think about filtering when it comes to Squid 3.5.5 and SSL(TLS). Normal http traffic is easy....here's where we're trying to go and here's a list of place we're alloed to go...simple.<br>
<br>
Not so with SSL(TLS). Squid can't filter, since Squid may or may not know where we're going...and that's the issue..it's where those ssl_bump atStep ACL's come in. Some sites when you connect to them are easy-ish..when you connect your device sends a "Server Name Information" (SNI) that says where you're going. Other sites don't have any information until you complete the SSL handshake (how can you filter a site name, until squid KNOWS the site or at least domain name?).<br>
<br>
If you're still wanting to go through with transparent (intercept) proxy with SSL, search through the list for my SSL Deep dive posts...that config is working for me so far (granted, not in an enterprise environment). However, as Amos said,....if you choose not to install the cert on the client machines, you are either a) going to be out of luck on LOT'S of websites because they will fail the SSL handshake, or b) teaching your users to ignore the security warnings of their browser's....neither of which is a good thing.<br>
<br>
Hope that helps.<span class="HOEnZb"><font color="#888888"><br>
<br>
James</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>