<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 22 April 2016 at 02:16, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">On 04/21/2016 03:26 PM, Odhiambo Washington wrote:<br>
<span>> On 21 April 2016 at 23:14, Alex Rousskov wrote:<br>
> Logging aside, your latest random configuration is equivalent to<br>
</span>> [...] not intercepting SSL at all, which brings<br>
<span>> us back to the old question: What do you want Squid to do?<br>
<br>
<br>
> If I could intercept SSL and do nothing EXCEPT subject the domains to<br>
> time ACLs, that'd be all.<br>
<br>
</span>You are going back to the problem we have already discussed. Please slow<br>
down and translate your description above into what should happen to<br>
user connections that match your "time ACLs".<br></blockquote><div><br></div><div><br></div><div>*slow down mode engaged*</div><div><br></div><div>You have given me these two templates:</div><div><br></div><div>(1)</div><div><font color="#9900ff"><span style="font-size:12.8px">If you want Squid to not intrude except when terminating prohibited </span><span style="font-size:12.8px">traffic, then start with this sketch:</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px"> ssl_bump terminate prohibited_traffic</span><br style="font-size:12.8px"></font><span class="im" style="font-size:12.8px"><font color="#9900ff"> ssl_bump peek all<br> ssl_bump splice all</font><br><br>I would have preffered this option, first because it doesn't involve me installing my CA on all user devices and secondly because of no intrusion. However I cannot figure out how to deal with this when it comes to ACLs because '<b>terminate</b>' isn't really what I think I want. What I want is as follows:</span></div><div><span class="im" style="font-size:12.8px">(a) squid receives requiest from a particular host for <a href="http://facebook.com">facebook.com</a>. Host is identified by MAC Address or IP</span></div><div><span class="im" style="font-size:12.8px">(b) squid decides (based on ACLs) if host is allowed access to <a href="http://facebook.com">facebook.com</a> at this time, then allows it <br>(c) squid throws an error message if host is not allowed access at this time.</span></div><div><span class="im" style="font-size:12.8px"><br></span></div><div><span class="im" style="font-size:12.8px">If I could achieve the above, I will be fine. How to craft the configs is my trouble. I keep fumbling.</span></div><div><span class="im" style="font-size:12.8px"><br></span></div><div><span class="im" style="font-size:12.8px"><br>(2)<br></span><font color="#7f6000"><span style="font-size:12.8px">If you want Squid to intrude (where possible) and block prohibited</span><br style="font-size:12.8px"><span style="font-size:12.8px">traffic, then install your CA certificates on all user devices and start</span><br style="font-size:12.8px"><span style="font-size:12.8px">with this sketch:</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px"> ssl_bump splice things_that_are_impossible_to_</span><span style="font-size:12.8px">bump</span><br style="font-size:12.8px"><span class="im" style="font-size:12.8px"> ssl_bump stare all<br> ssl_bump bump all<br></span><span style="font-size:12.8px"> http_access deny prohibited_traffic</span></font><br></div><div><font color="#7f6000"><span style="font-size:12.8px"><br></span></font></div><div><font color="#500050"><span style="font-size:12.8px">Now here, the CA challenge abounds. We have a guest SSID on our WLAN and this means I have to install the CAs even for guests or redo the network to be able to accommodate guest users browsing without being subjected to our internal policies.</span></font></div><div><font color="#7f6000"><span style="font-size:12.8px"><br></span></font></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* Does "subject the domains to time ACLs" mean "immediately close<br>
connections that match" those ACLs?<br></blockquote><div><br></div><div>No.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* Or does it mean "serve Squid error pages" over connections that match<br>
those ACLs?<br></blockquote><div><br></div><div>Yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Once you decide, apply one of the two templates provided (the two<br>
templates correspond to which of the two questions you answer "yes").<br>
<span><br>
<br>
> I just want the data passing through squid for me to determine who is<br>
> allowed to access it and at what time.<br>
<br>
</span>Assume Squid has made that access determination you want to make, and<br>
the user is not allowed. Now what: Close the connection? Or serve an<br>
error page?<br>
<br></blockquote><div><br></div><div>Serve an error page.</div><div><br></div><div>. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
> I do have time ACLs, [...]<br>
<br>
The specifics of your ACLs are irrelevant at this stage. You can fix<br>
them later once you get overall SslBump setup working the way you want.<br>
You can assume that there is just one ACL called "prohibited_traffic" or<br>
"good_traffic". Now write the rules that determine what happens to<br>
connections that match one of those two ACLs.<br></blockquote><div><br></div><div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
> If you want Squid to not intrude except when terminating prohibited<br>
> traffic, then start with this sketch:<br>
><br>
> ssl_bump terminate prohibited_traffic<br>
> ssl_bump peek all<br>
> ssl_bump splice all<br>
><br>
><br>
> Lemme see if I understand this. I have a problem wrapping my head around<br>
> 'terminate' (as a terminology, maybe)<br>
<br>
</span>"terminate" means "close the SSL connection(s) immediately". No error<br>
response is sent by Squid to the user. It does not get much simpler than<br>
that! The browser will probably show some "secure connection could not<br>
be negotiated" error to the user with no usable details [because Squid<br>
sent nothing to the browser in this case].<br>
<span><br></span></blockquote><div><br></div><div>That is NOT what I want. I need squid to serve an error page that "Access is denied at this time.."</div><div>I think it's usually something like "access controls prohibit you from access this page at this time...".</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span>
<br>
> and 'prohibited_traffic' (also as a terminology).<br>
<br>
</span>Just some ACL name. You will define that aggregate ACL later to match<br>
any traffic you want to prohibit. It will contain a combination of time<br>
and server name ACLs. Other details are not important until your SslBump<br>
[and http_access rules] are correct.<br></blockquote><div><br></div><div>Okay.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
If you do not know how to aggregate ACLs, look for "any-of" and "all-of"<br>
in squid.conf.documented, but, again, ACL specifics are not important<br>
right now. They will become important at stage three. Now you are<br>
struggling with stage one: Deciding what to do with matching SSL<br>
connections (close or serve error pages).<br></blockquote><div><br></div><div>Sure, I am really struggling to understand this. I would like to serve error pages. A complete example of this would really help. I am thinking, based on the two templates you gave and going with the one where squid intrudes, that it could be like below, but to be honest I am not sure so kindly correct me.</div><div><br></div><div><br></div><div><div>acl time_wastage_sites_ssl ssl::server_name .<a href="http://facebook.com">facebook.com</a> .<a href="http://youtube.com">youtube.com</a></div><div>ssl_bump splice time_wastage_sites_ssl</div><div>ssl_bump stare all</div><div>ssl_bump bump all</div></div><div><div>http_access allow time_wastage_sites_ssl privileged-staff</div><div>http_access allow time_wastage_sites_ssl privileged-clients</div><div>http_access allow time_wastage_sites_ssl TIMElunch</div><div>http_access allow time_wastage_sites_ssl TIMEafterhoursAFT</div><div>http_access allow time_wastage_sites_ssl TIMEafterhoursMORN</div><div>http_access allow time_wastage_sites_ssl TIMEsatALLDAY</div><div>http_access allow time_wastage_sites_ssl TIMEsundALLDAY</div><div>http_access deny time_wastage_sites_ssl</div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
FWIW, my recommendation is to terminate/close and find other ways to<br>
inform users about their policy violations.</blockquote><div> <br></div><div><br></div></div><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">"</span></div></div></div>
</div></div>