[squid-users] Filering HTTPS URLs - A complete configuration

Alex Rousskov rousskov at measurement-factory.com
Tue Feb 12 21:48:51 UTC 2019


On 2/11/19 3:55 AM, Paul Doignon wrote:

>> The closest you are going to get to the above is with:
>> * bump everything[1], and
>> * use http_access to check the https:// URLs for your policy
>> * use "deny_info TCP_RESET" [2] on the blocked requests.
>>
>> [1] some things literally cannot be bumped. So a decision needs to be
>> made about what to do then.

> I guess adding this second line will terminate those un-bumpable requests?

No, that second ssl_bump line has no effect -- it will never be reached.

You are probably misinterpreting what was meant by "literally cannot be
bumped". What was meant by that phrase was that bumping certain
connections always results in client and/or server errors, regardless of
how you configure Squid. In those cases, Squid will still perform the
bump action if you tell it to bump, but that action will not lead to a
functioning tunnel through Squid.

In general, Squid itself cannot predict which connections can be
successfully bumped. You have to tell it (using ACLs, like the
whitelisted ACL in the example below).


> ssl_bump bump all
> ssl_bump terminate all

The first line emulates client-first bumping. That is not what you want.

To bump all connections, you could use something like this:

  ssl_bump stare all
  ssl_bump bump all

To bump all connections except whitelisted ones, you probably want
something like this:

  ssl_bump splice whitelisted
  ssl_bump stare all
  ssl_bump bump all

... where whitelisted is your ACL implementing your white listing policy
(i.e. matching TLS connections that should be spliced). It may use
ssl::server_name and probably other ACLs.

More details at https://wiki.squid-cache.org/Features/SslPeekAndSplice

Alex.


More information about the squid-users mailing list