<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 21 April 2016 at 00:11, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>On 04/20/2016 02:22 PM, Odhiambo Washington wrote:<br>
<br>
> All I want is the ability to intercept SSL sites and control access to<br>
> them using TIME ACLs. That's all.<br>
<br>
</span>I will assume that your definition of a "site" is "domain name".<br></blockquote><div><br></div><div>Yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
<br>
> So in simple:<br>
> 1. UserX tries to access <a href="http://facebook.com/youtube.com" rel="noreferrer" target="_blank">facebook.com/youtube.com</a><br>
> 2. I intercept transparently https traffic<br>
> 3. I tell squid "don't allow this user to access <a href="http://facebook.com" rel="noreferrer" target="_blank">facebook.com</a><br>
> at this time, but let them access at some-other-time<br>
> 4. If time is right, let userX access the site.<br>
<br>
</span><span>> So looks like all I need is a setup of passive monitoring, given my<br>
> explanation above, right?<br>
<br>
</span>The answer depends on what you want Squid to do when access is not<br>
allowed. If you are OK with terminating the prohibited connection (no<br>
error messages explaining company policy sent by Squid to your users!),<br>
then yes:<br>
<br>
ssl_bump terminate restricted_sites<br>
ssl_bump peek all<br>
ssl_bump splice all<br></blockquote><div><br></div><div><br></div><div>What I would like is:</div><div><br></div><div>1. that squid is able to 'see' that <b>userX</b> is trying to visit <a href="https://www.facebook.com" target="_blank">https://www.facebook.com</a></div><div>2. but at that particular time (time ACL) <b>userX</b> is not allowed to go to <a href="http://facebook.com" target="_blank">facebook.com</a>, so squid denies access, throws a default error on their browser</div><div>3. However, <b>userY</b> has unrestricted access to anywhere at all times so squid allows the user to proceed. </div><div>The time logic is already built in squid.conf. All that remains is just intercept https traffic and let the time acls decide whether or not a user can get there..</div><div><br></div><div><br></div><div>So allow me to ask: in <b>ssl_bump terminate restricted_sites, </b> I am lost as to what restricted_sites represent.</div><div><br></div><div>If my squid.conf matters, I have it here: <a href="http://goo.gl/vA6nrB" target="_blank">http://goo.gl/vA6nrB</a>. All I want is to restrict/control (using time) access to TIMEWASTAGESITES :-)</div><div>I do not need to bump at all.</div><div></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">(My English could be my undoing here :-))<br></div><div class="gmail_extra"><br></div><div>Thanks for your patience in baby-sitting me.</div><div><br></div><div><br></div>-- <br><div><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">"</span></div></div></div>
</div></div>