[squid-users] ssl_bump newbie troubles

Odhiambo Washington odhiambo at gmail.com
Wed Apr 20 20:22:23 UTC 2016


On 20 April 2016 at 18:38, Alex Rousskov <rousskov at measurement-factory.com>
wrote:

> On 04/20/2016 08:16 AM, Odhiambo Washington wrote:
>
> > I even wonder if this config is correct:
> >
> > acl ssl_bump_broken_sites  dstdomain ...
> > ssl_bump none ssl_bump_broken_sites
> > ssl_bump peek step1
> > ssl_bump stare step2
> > ssl_bump bump all
>
> You did not say what you want Squid to do, so it is difficult to say
> whether the config is correct. However, the following combinations look
> strange to me:
>
> * old "none" and new "peek" actions; use "splice" instead of "none"
> * sometimes contradictory "peek" and "stare" actions; pick one kind
> * sometimes contradictory "peek" and "bump" actions; if you intend to
> bump, use "stare"
>
Also, you may want to use ssl::server_name ACL instead of dstdomain.
> Remember that Squid may have no domain information until it is too late
> to splice. Here is a polished config that may or may not do what you want:
>
>   # Bump aggressively, including discovered-too-late broken_sites:
>   acl ssl_bump_broken_sites ssl::server_name ...
>   ssl_bump splice ssl_bump_broken_sites
>   ssl_bump stare all
>   ssl_bump bump all
>

Hi Alex,

Thank you for looking into and advising about this. I really do not want to
get intrusive on the setup.
All I want is the ability to intercept SSL sites and control access to them
using TIME ACLs. That's all.
Sites should be accessed without any interference apart from determining at
what time they can be
accessed by certain restricted users. Think about restricting facebook.com,
youtube.com, etc which
otherwise I would not have control over in a normal intercept. That's the
only reaon I need this ssl_bump stuff.

So in simple:
1. UserX tries to access facebook.com/youtube.com
2. I intercept transparently https traffic
3. I tell squid "don't allow this user to access facebook.com at this time,
but let them access at some-other-time
4. If time is right, let userX access the site.

I still need to wrap my hear around thise 'stare' and 'peek' and what
happens with them.


> > I had to import my CA to all devices (as a trusted CA) on
> > the network so that they don't get the MITM notification. [...] People
> > don't like intrusive changes.
>
> "ssl_bump bump" implies intrusiveness. You need to decide whether
> bumping connections is important enough to be intrusive. The alternative
> is passive monitoring/splicing that does not require intrusive changes
> but gives you less control. Pick your poison.
>
> Alex.
>


So looks like all I need is a setup of passive monitoring, given my
explanation above, right?
Don't bump, just monitor and restrict access to some users based on time.
Generally I want to
control access to those sites users usually waste time on during work
hours:-)




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160420/e21378ee/attachment.html>


More information about the squid-users mailing list