[squid-users] Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode
Amos Jeffries
squid3 at treenet.co.nz
Sat Feb 25 07:02:23 UTC 2017
On 20/02/2017 8:33 p.m., Test1964 wrote:
> Hi,
>
> When I exclude some sites (like banks) with ssl_bump peek/splice that
> works well, Got a new problem that
> sites (that I exclude) can not be blocked using Url_Rewrite.
> I use Url_rewrite to block sites based on User IP and all all other
> sites(no in exclude list) it working very well.
>
> How to fix it? Or this another way to block excluded sites in ssl_bump
> based on User IP?
>
Block things using an access control mechanism. That is what access
controls (ACLs, http_access, deny_info) are for.
If your blocking conditions are so complex or dynamic that Squid ACLs
are not able to cope; then use an external_acl_type helper to give the
allow/deny result and also consider if you can simplify the access policies.
Do not use a URL routing mechanism to do 'access control' operation.
Changing the destination of a message can *only* work if the relevant
security is equivalent for both paths the message can take.
re-write has the _appearance_ of working in HTTP because plain-text is
built on complete trust of the proxy. HTTPS is not, it contains
mechanisms to verify the honesty which is preventing your abuse of HTTP.
NP: If you were doing a proper HTTP *redirect* (with appropriate 30x
status codes) it would work, but still wrong to do access control that way.
Amos
More information about the squid-users
mailing list