[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump
Yuri Voinov
yvoinov at gmail.com
Wed Jun 24 16:25:29 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Never mind, Tom. I have own cockroaches in my head. Just only for
content filtering, I would not put a caching proxy. Once that's it.
24.06.15 22:22, Tom Mowbray пишет:
> Yuri,
>
> The proxy is being used as a content filter, i.e. domain and URL
> whitelisting and blacklisting.
>
> I guess my real question is simply regarding how this traffic is processed
> in regards to where I've defined options in my squid.conf?
>
> Also, why does it appear to "bump" all sites when my config says to
> "splice" all.
>
> -Tom
>
>
> Tom,
>
> one simple question.
>
> Soon, all or almost all the Internet go into HTTPS. Why do you then need
> caching proxy? The tunnel connection and process ACLs?
>
> My second question to Amos. Amos, what the hell do we under these
> conditions caching proxy?
>
> WBR, Yuri
>
> 24.06.15 21:41, Tom Mowbray пишет:
>> Squid 3.5.5
>>
>> I seem to have some confusion about how acl lists are processed in
>> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting
> to use
>> ssl_bump directives with transparent proxy.
>>
>> Based on available documentation, I believe my squid.conf is correct,
>> however it never seems to actually behave as expected.
>>
>> I define the SSL port, as usual:
>>
>> acl SSL_ports port 443
>>
>> But here's where my confusion lies... Many state to place the following
>> line above the ssl_bump configuration lines:
>>
>> http_access allow SSL_ports
>>
>> However when I do this, it appears to simply stop processing any other
>> rules and allows ALL https traffic through the proxy (which is
> actually how
>> I'd expect a standard ACL list to operate, but then how do I actually
>> filter the traffic though our content-based ACL lists?). If I put the
>> above line below the ssl_bump configuration options in my squid.conf,
then
>> it appears to BUMP all, even though I've told the config to SPLICE all
>> https traffic, which doesn't work for our deployment.
>>
>> So, does squid actually continue to process the https traffic using the
>> ssl_bump rules if the "http_access allow SSL_ports" line is placed
> above it
>> in the configuration?
>>
>> I should note that we've been able to get filtering to work correctly
when
>> using our configuration in NON-transparent mode, however our goal is get
>> this functionality working as a transparent proxy. We're unable to load
>> our self-signed cert onto client machines that will be accessing the
> proxy,
>> so using the "bump" or man-in-the-middle style https filtering isn't a
>> viable option for us.
>>
>> Any help or advice is appreciated!
>>
>> Thanks,
>>
>> Tom
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVitn5AAoJENNXIZxhPexGseIH/0Mex6B035vuH5/c/Ui5+az5
glsYSK8AzGGyQNkAvlKQ0xNe+0DrpC96tToafdPee1yyD3mp8U4ftFgb6xOHnfNt
DlFo7oWMJt7xhXyN9oJgwzEDLvfvwQ/YcoPWLmAw0vPcJ9WgIPMLY2Mvpsy/vHnb
dEfBvshk5PvbRwFD/WIbm4dU3x0eIPyHp/M5JG0yi0jVTOmUfbFhqXttGQTnOwl4
d+b8uubNmcOGH5Di2j7wTfT9LFV4o8ijy5oM1WvVRuHNXe/YIY96Gt1v3Hm10Qeu
49PPFTbDiYsJ/39HQ6MfDyhGy3tlWNVY1E5CIV8teVi6P+3ew2nUJw1pQGiawqk=
=SwDm
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150624/6d92be36/attachment.html>
More information about the squid-users
mailing list