[squid-users] SSL-Bump to specific users

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 30 17:51:57 UTC 2015


On 31/10/2015 5:36 a.m., Rodrigo de Lima Silva wrote:
> Thanks for your reply Alex,
> 
> I understood your considerations. Maybe, I really didn't understand very
> well how the SslBump works, the differences between peek and splice and
> steps SslBump1, 2 and 3.
> 
> I'm searching and studing about this last two days, and I need to undertand
> better about this questions.


You may have found them already, but if not these wiki pages should help
you understand a bit more.

The particular one Alex and I think you need to understand is
<http://wiki.squid-cache.org/SquidFaq/SquidAcl> which documents how
Squid access controls operate. What they are and how to use them.

Once you understand the ACLs you may have a clearer idea how to extend
yoru rules properly using the information in
<http://wiki.squid-cache.org/Features/SslPeekAndSplice>. Which documents
what the SSL-Bump actions are, what they do and at what stages of the
TLS handshake process they can happen.

> 
> There's a way to join ssl_bump + a simple acl? Basicly, I would like to
> permit access to some sites, like facebbok, linkedin, for example. during a
> period of day time, for example:
> 
> acl after_work time MTWHFAS 18:00-21:00
> ssl_bump terminate deny_https_sites !after_work
> 

Once you understand what the "Common Mistakes" section of the ACL wiki
page is talking about you will know the answer to your question. It
describes the problem Alex was talking about, but in slightly simpler terms.

Hint: you say you want to permit things. But you are writing rules with
"deny" / "terminate" as the action for Squid to do. Seems a bit
backwards, yes?

The outcome of the above rules may be the behaviour you desire. But the
rule is not specifying the policy you wrote about. It is specifying
another policy that happens to act the same (most of the time). And
"most of the time" is how strange problems appear later.



PS. Apologies if we seems to be obstructing. But you really do need to
properly know how Squid ACLs work if you are going to be configuring
Squid. They are used for controlling almost everything, as you will see
in those wiki pages.

Amos


More information about the squid-users mailing list