[squid-users] req_header acl with ssl_bump
Toler, Matt
Matt.Toler at netapp.com
Wed Dec 7 21:26:11 UTC 2022
Hello,
We are attempting to leverage headers to isolate access to external sites with squid 4.14. The Loadbalencer is injecting headers and squid is simply verifying them:
acl ACL_HDR_1 req_header Repo_Svr_VerifiedHdr True
acl REPO_DST_ALLOW dstdomain "/etc/squid/acls.d/hosts.acl"
http_access allow PROXY-SRC REPO_DST_ALLOW ACL_HDR_1
We are currently decrypting this traffic and it's working well.
Now we have a requirement to skip ssl decrypt for only certain destinations. My thought was to simply create a separate ACL where skipping ssl decrypt is required and add the header ACL to the end of the ssl_bump directive like so:
acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True
acl Repo_SkipSslDecrypt dstdomain "/etc/squid/acls.d/hosts.acl"
ssl_bump none Repo_SkipSslDecrypt Repo_Skip_HDR
This parsed successfully but did not have the desired effect. The squid is still inspecting the traffic even with the header present as we can see in the logs. Making things a little more complex, the ssl_bump directive seems to have a global effect and also imply "http_access allow" making it difficult isolate access. To get around this I thought to simply skip ssl decrypt for the traffic with verified headers:
acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True
ssl_bump none Repo_Skip_HDR
Unfortunately even this isn't working, again the config checks out and runs happily, we see the header in the logs, but squid still tries to inspect the traffic.
Any thoughts on why ssl_bump would ignore the header ACL or other suggestions to isolate traffic when being required to skip ssl decrypt would be greatly appreciated.
Thanks in advance.
Regards,
Matt Toler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221207/544a5a51/attachment.htm>
More information about the squid-users
mailing list