Cool -- thanks folks. That makes sense. I guess if the situation is ever called for, IPs will have to suffice. On 05/03/2013, at 9:09 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 5/03/2013 6:11 p.m., Amm wrote: >>> ________________________________ >>> From: Dan Charlesworth <dan@xxxxxxxxxxx> >>> To: squid-users@xxxxxxxxxxxxxxx >>> Sent: Tuesday, 5 March 2013 10:21 AM >>> Subject: Bypassing SSL Bump for dstdomain >>> >>> Hi >>> >>> I've recently set up a very simple Squid 3.3.1 deployment to test out Server First bumping and Mimicking in a REDIRECT type intercept configuration. >>> >>> It's working quite nicely, but I'm trying to accommodate a scenario where an admin would like to disable bumping for certain webistes, for example internet banking ones. >>> >>> I basically have the exact same "ssl_bump" parameters from the config example and yet requests matching the ACL are still being bumped as evidenced by: >>> - The full HTTPS URLs being recorded in the access log. >>> - My client browser continuing to show that the certificate is signed by the squid-signed CA when accessing the dstdomain. >>> >>> I feel like I'm making some obvious mistake here, but can't see the forest right now. >>> >>> ... >>> >>> # Let user specify domains to avoid decrypting, such as internet banking >>> acl bump-bypass dstdomain .commbank.com.au >>> >>> ... >>> >>> ssl_bump none bump-bypass >>> ssl_bump server-first all >> >> >> This will not work for intercepting traffic. Because domain is known only after SSL connection is established. So certificate stage etc has already passed. >> >> >> You should try ACL check based on real IP or IP range. Ofcourse this assumes that IP will never change for those banks. >> >> I am also assuming that squid checks IP based ACLs for ssl_bump before establishing connection with client. (I have personally not tried this setup so can not tell for sure) >> >> >> Or you need to create rules at firewall level which will *not* divert traffic for those sites to squid. >> >> Amm. > > Also, Squid tunnel functionality requires a CONNECT wrapper to generate outgoing connections. > It is not yet setup to do the raw-TCP type of bypass the intercepted traffic would require. > > Amos
