W dniu 2011-09-06 08:08, Amos Jeffries pisze:
On 05/09/11 22:03, Łukasz Makowski wrote:
Hello everyone,
I'm using Squid and ldap_authentication, and recently decided do deploy
ssl_bump feature.
I have made tests for ssl_bump and everything works just fine, but when
combined with ldap authentication,
it appeared to have one big disadvantage.
For every site user try to visit, squid pops with its authentication
window.
I see that for regular, http traffic message looks like this : "Server
My_Squid_Server needs authentication blablabla".
But when ssl_bump triggers during visiting https web page, it states :
"Server Https_Site_Domain needs authentication blablabla".
I know that this behaviour can be caused by a way that ssl_bump works.
Please tell me is there any possible method to overcome this ?
Thanks for help.
Lukasz
I suspect you have the recommended "deny !authedUsers" or similar.
Bumped traffic should match "acl HTTPS proto HTTPS". So you should be
able to bypass the auth using that ACL.
Amos
Thanks for your reply.
My auth acl looks like this:
acl password proxy_auth REQUIRED
and rules for traffic:
http_access allow password
ssl_bump allow all
I also tried following, when experimenting with ssl_bump :
acl https_traffic method CONNECT
ssl_bump allow https_traffic
but it works the same for me.
My point when trying to implement ssl_bump was to log https urls and
users accesing them, as I am doing it for http.
I'm concerned about part of your statement "So you should be able to
bypass the auth using that ACL".
Did I understand you correctlly ? Is there no possibility to force squid
to auth my users when accesing https?
Lukasz
--
Łukasz Makowski
ITSOFT, ul.Wadowicka 8a, 30-415 Kraków, Poland
tel.:+48 12 2637545, fax: +48 12 2637520
lukasz.makowski@xxxxxxxxx www.itsoft.pl