<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 21 April 2016 at 23:14, Alex Rousskov <span dir="ltr"><<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">On 04/21/2016 01:59 PM, Odhiambo Washington wrote:<br>
<span class="">> On 21 April 2016 at 22:04, Amos Jeffries wrote:<br>
><br>
> On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:<br>
</span><span class="">> > I have now changed to *configurations suggested specifically for your use<br>
> > case, on this email thread* :)<br>
<br>
> > acl no_ssl_interception ssl::server_name<br>
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"<br>
> > ssl_bump splice no_ssl_interception<br>
> > ssl_bump stare all<br>
> > ssl_bump bump all<br>
<br>
<br>
</span><span class="">> No the "stare" being done will prevent splice and you will see breakage<br>
> or unexpected things again.<br>
> You have to replace 'stare' with 'peek' AND replace 'bump' with<br>
> 'splice'.<br>
<br>
<br>
> Like below???<br>
<br>
<br>
> acl no_ssl_interception ssl::server_name<br>
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"<br>
> ssl_bump splice no_ssl_interception<br>
> ssl_bump peek all<br>
> ssl_bump splice all<br>
<br>
<br>
</span>Logging aside, your latest random configuration is equivalent to<br>
<br>
ssl_bump splice all<br>
<br>
which means you are better off not intercepting SSL at all, which brings<br>
us back to the old question: What do you want Squid to do?<br></blockquote><div><br></div><div>If I could intercept SSL and do nothing EXCEPT subject the domains to time ACLs, that'd be all. I do not need any bumping to be precise.</div><div>I just want the data passing through squid for me to determine who is allowed to access it and at what time.</div><div><br></div><div>I do have time ACLs, which I use in conjunction with MAC ACLs and certain domain, like <a href="http://facebook.com">facebook.com</a>. Right now I rely on destdomain to identify the domains.</div><div>With domains using SSL, I cannot use destdomain, right? Let me demonstrate with config snippets from my squid.conf, perhaps that would explain it better and maybe I will find a better easier way out that this ssl_bump monster:-)</div><div><br></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">acl TIMEweekdaysALLDAY time MTWHF 09:00-17:00
acl TIMEafterhoursMORN time MTWHF 00:00-09:00
acl TIMElunch time MTWHF 12:00-13:59
acl TIMEafterhoursAFT time MTWHF 14:30-23:59
acl TIMEsatMORN time A 00:00-07:00
acl TIMEsatAFT time A 11:00-23:59
acl TIMEsatALLDAY time A 00:00-23:59
acl TIMEsundALLDAY time S 00:00-23:59</pre></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"># Internet Access Regulation
# Some privileged staff - can browse unrestricted
acl privileged-staff arp "/usr/local/etc/squid/privileged_mac_addresses.txt"</pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><pre style="word-wrap:break-word;white-space:pre-wrap"># Sites staff waste all their time on - Social Networks, streaming sites, etc
acl TIMEWASTAGESITES dstdomain "/usr/local/etc/squid/time_wastage_sites.txt"</pre><pre style="word-wrap:break-word;white-space:pre-wrap"># TIMEWASTAGESITES
http_access allow TIMEWASTAGESITES privileged-staff
http_access allow TIMEWASTAGESITES TIMElunch
http_access allow TIMEWASTAGESITES TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES TIMEsatALLDAY
http_access allow TIMEWASTAGESITES TIMEsundALLDAY
http_access deny TIMEWASTAGESITES</pre><pre style="word-wrap:break-word;white-space:pre-wrap"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;white-space:normal"><br></span></pre><pre style="word-wrap:break-word;white-space:pre-wrap"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;white-space:normal">Now, the above used to work until <a href="http://facebook.com">facebook.com</a>, <a href="http://youtube.com">youtube.com</a>, and others switched to HTTPS. After that it wasn't possible for me to control access to them.</span></pre><pre style="word-wrap:break-word;white-space:pre-wrap"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;white-space:normal">So really, all I want is the ability to intercept SSL and subject it to those time ACLs for a class of users. Nothing more.</span></pre></pre></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
If you want Squid to not intrude except when terminating prohibited<br>
traffic, then start with this sketch:<br>
<br>
ssl_bump terminate prohibited_traffic<br>
<span class=""> ssl_bump peek all<br>
ssl_bump splice all<br></span></blockquote><div><br></div><div>Lemme see if I understand this. I have a problem wrapping my head around 'terminate' (as a terminology, maybe) and 'prohibited_traffic' (also as a terminology).</div><div>So, are you saying that prohibited_traffic here is something like:</div><div><br></div><div>acl TIMEWASTAGE_SSL ssl::server_name "/usr/local/etc/squid/time_wastage_SSL_sites.txt"<br></div><div><br></div><div>And in that file I have</div><div>.<a href="http://facebook.com">facebook.com</a></div><div>.<a href="http://youtube.com">youtube.com</a></div><div>...</div><div><br></div><div>Then I just apply my usual time ACLs..</div><div><br></div><div>http_access allow TIMEWASTAGESITES_SSL privileged_staff</div><div>http_access allow TIMEWASTAGESITES_SSL TIMElunch<br></div><div>http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursAFT</div><div>http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursMORN</div><div>http_access allow TIMEWASTAGESITES_SSL TIMEsatALLDAY</div><div>http_access allow TIMEWASTAGESITES_SSL TIMEsundALLDAY</div><div>http_access deny TIMEWASTAGESITES_SSL</div><div><br></div><div>That is more like all I want - use <b>ssl::server_name</b> instead of <b>dstdomain. </b> The sites are NOT prohibited per se, and 'terminate' kinda scares me. I need to RTFM about this 'terminate' again and again until I can sing it:)</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">
<br>
</span>If you want Squid to intrude (where possible) and block prohibited<br>
traffic, then install your CA certificates on all user devices and start<br>
with this sketch:<br>
<br>
ssl_bump splice things_that_are_impossible_to_bump<br>
<span class=""> ssl_bump stare all<br>
ssl_bump bump all<br>
</span> http_access deny prohibited_traffic<br>
<span class=""><font color="#888888"><br>
Alex.<br>
<br>
</font></span></blockquote></div><br><br>I actually believe I do not need any mention of ssl_bump, but the confusion for me arises out of TWO things:</div><div class="gmail_extra"><br></div><div class="gmail_extra">1. In my firewall (FreeBSD PF), redirecting traffic destined to port 443 via squid wasn't an option prior to the intruduction of the SSL interception, right?</div><div class="gmail_extra">2. In squid.conf, I did not yet figure out if I can use just</div><div class="gmail_extra"> </div><div class="gmail_extra"><br></div><div class="gmail_extra"> https_port 13129 intercept</div><div class="gmail_extra"><br></div><div class="gmail_extra">Instead of </div><div class="gmail_extra"><br></div><div class="gmail_extra"> https_ports NNNN intercept ssl-bump ...... ....</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">I hope this time round I have explained myself well. <br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>Thank you.</div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">"</span></div></div></div>
</div></div>