Search squid archive

Re: Bypassing SSL Bump for dstdomain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/03/2013 6:11 p.m., Amm wrote:
________________________________
From: Dan Charlesworth <dan@xxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Sent: Tuesday, 5 March 2013 10:21 AM
Subject:  Bypassing SSL Bump for dstdomain

Hi

I've recently set up a very simple Squid 3.3.1 deployment to test out Server First bumping and Mimicking in a REDIRECT type intercept configuration.

It's working quite nicely, but I'm trying to accommodate a scenario where an admin would like to disable bumping for certain webistes, for example internet banking ones.

I basically have the exact same "ssl_bump" parameters from the config example and yet requests matching the ACL are still being bumped as evidenced by:
- The full HTTPS URLs being recorded in the access log.
- My client browser continuing to show that the certificate is signed by the squid-signed CA when accessing the dstdomain.

I feel like I'm making some obvious mistake here, but can't see the forest right now.

...

# Let user specify domains to avoid decrypting, such as internet banking
acl bump-bypass dstdomain .commbank.com.au

...

ssl_bump none bump-bypass
ssl_bump server-first all


This will not work for intercepting traffic. Because domain is known only after SSL connection is established. So certificate stage etc has already passed.


You should try ACL check based on real IP or IP range. Ofcourse this assumes that IP will never change for those banks.

I am also assuming that squid checks IP based ACLs for ssl_bump before establishing connection with client. (I have personally not tried this setup so can not tell for sure)


Or you need to create rules at firewall level which will *not* divert traffic for those sites to squid.

Amm.

Also, Squid tunnel functionality requires a CONNECT wrapper to generate outgoing connections. It is not yet setup to do the raw-TCP type of bypass the intercepted traffic would require.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux