Hey alltogether Unfortunatelly I am still suffering from this problem. Any help would be greatly appreciated. Thanks in advance B. Brandt On 2012-09-26 14:05, forum@xxxxxxxxx wrote: > Hey alltogether > > We have the following reverse proxy setup: > > Client <--SSL--> Squid <--SSL--> Server > > and the important acls look like: > > https_port 443 accel cert=/usr/local/squid/certs/cert.pem > key=/usr/local/squid/certs/key.pem defaultsite=example.org > clientca=/usr/local/squid/certs/cacert.pem > cafile=/usr/local/squid/certs/cacert.pem > capath=/usr/local/squid/certs/ sslcontext=id > > cache_peer xxx.xxx.xxx.xxx parent 443 0 no-query originserver > login=PASS ssl sslflags=DONT_VERIFY_PEER > sslcert=/usr/local/squid/certs/exchange.crt > sslkey=/usr/local/squid/certs/nopassexchange.key name=exchange_peer > > So as you can see the client uses ssl and a client certificate as > authentication to connect to squid. Now we wanted to do some url > filtering: > > acl exchange_dirs urlpath_regex > (\/owa|\/Autodiscover|\/Microsoft-Server-ActiveSync) > acl exchange_base_url url_regex ^https://example.org > http_access allow exchange_dirs exchange_base_url > http_access deny all > > However as you might already guess its not working and I am wondering > why. From my understanding, there is an SSL connection from Client to > Squid and an SSL connection from Squid to Server. Squid encrypts and > decrypts in the middle. Therefore squid schould be able to do the url > filtering. > > However the observed behviour is, that URL filtering works as long as > the user has NOT authenticated itself with its client CA. However > after the user authentication, the user can browse every url within > example.org. As if there were a direkt ssl connection between Client > and Server. > > Do we need to set the ssl-bump option? And if yes why? Isn't squid > already doing encryption and decryption? > > Thanks in advance > > B. Brandt
