[squid-users] Sslbump with multiple users and multiple ACLs for each
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Thu Jan 3 17:00:50 UTC 2019
Em 03/01/2019 12:37, stressedtux escreveu:
> Hi guys!
>
> i need a hand to understand if it is possible to configure the proxy a
> particular way.
>
> Im needing to configure the proxy to allow at the same time:
>
> - a whitelist of sites that anyone that uses the proxy could use without
> login
> - and in addition to that i need to have specific ACLs for different
> authenticated users.
>
> I need to control both http and https connections to external sites. I can
> use sslbump but im having hard time configuring sslbump with proxy_auth, and
> on top of that, i need different acl whitelists for different users.
>
> Is this kind of configuration possible? Just trying to understand if im on a
> dead road :D
>
> Thanks in advanced!
> Tux
This link helped me a lot with ssl_bump:
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
To bump intercepted (implicit) https connections, you would need to add
'https_port' with 'intercept' option to another REDIRECTed port,
considering the example from the link. To 'bump' connections you need to
add your self-signed certificate to the clients' trusted store, or else
they will always receive certificate errors in their browsers.
Keep in mind that you don't need to use ssl_bump to block/allow https
sites in most cases (in explicit mode, for example). Bumping is most
useful if you're willing to audit the users' access in a deeper level or
cache web content from https websites.
If setting up the clients is a problem to you, use 'splice' instead. It
won't open the https traffic for you though.
The users and white-list part is a very common setup, there are lots of
examples out there.
-Bruno
More information about the squid-users
mailing list