On 03/04/2013 10:11 PM, Amm wrote: >> # Let user specify domains to avoid decrypting, such as internet banking >> acl bump-bypass dstdomain .commbank.com.au >> ssl_bump none bump-bypass >> ssl_bump server-first all > This will not work for intercepting traffic. Because domain is known > only after SSL connection is established. So certificate stage etc > has already passed. It will work but only if the reverse DNS lookup for the intercepted IP address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL if given an IP address. > You should try ACL check based on real IP or IP range. Ofcourse this > assumes that IP will never change for those banks. Agreed. And one can combine fast IP-based rules with slower reverse DNS lookups, of course. Each approach has its own flaws. > I am also assuming that squid checks IP based ACLs for ssl_bump > before establishing connection with client. Squid checks all ssl_bump ACLs before establishing a TCP connection with the server. The TCP connection from the client is already accepted (or intercepted) by the time ssl_bump ACL is checked. > Or you need to create rules at firewall level which will *not* divert > traffic for those sites to squid. Agreed. That would be a better alternative to IP-based ssl_bump ACLs. Thank you, Alex.
