[squid-users] Novice question on TPROXY and SSL-BUMP behavior
Amos Jeffries
squid3 at treenet.co.nz
Thu May 21 10:27:26 UTC 2015
On 21/05/2015 2:42 a.m., Nick Belnap wrote:
> I've been tasked with preventing a client's users from accessing
consumer Gmail accounts while only accessing their corporate Google Apps
accounts. Google gives an overview here:
https://support.google.com/a/answer/1668854?hl=en.
<snip>
>
> Being a novice at Squid and iptables I've done a lot of Googling to get this far but have hit the wall I think with this problem. Can anyone see why the ssl-bump might not be working for tproxy connections?
>
> What am I missing?
Same thing everyone seems to be missing with SSL-Bump. The fact that TCP
packet headers dont contain a domain name. Only the IP:port the TCP
connection is going to.
So the "Google" dstdomain ACL does not work on the fake CONNECT request
Squid generates from the IP:port details.
Replace these:
acl Google dstdomain .google.com
ssl_bump server-first Google
With these (in this specific order):
acl GoogleBump ssl::server_name .google.com .gmail.com
ssl_bump peek all
ssl_bump bump GoogleBump
ssl_bump splice all
Amos
More information about the squid-users
mailing list