|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Never mind, Tom. I have own cockroaches in my head. Just only for content filtering, I would not put a caching proxy. Once that's it. 24.06.15 22:22, Tom Mowbray пишет: > Yuri, > > The proxy is being used as a content filter, i.e. domain and URL > whitelisting and blacklisting. > > I guess my real question is simply regarding how this traffic is processed > in regards to where I've defined options in my squid.conf? > > Also, why does it appear to "bump" all sites when my config says to > "splice" all. > > -Tom > > > Tom, > > one simple question. > > Soon, all or almost all the Internet go into HTTPS. Why do you then need > caching proxy? The tunnel connection and process ACLs? > > My second question to Amos. Amos, what the hell do we under these > conditions caching proxy? > > WBR, Yuri > > 24.06.15 21:41, Tom Mowbray пишет: >> Squid 3.5.5 >> >> I seem to have some confusion about how acl lists are processed in >> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting > to use >> ssl_bump directives with transparent proxy. >> >> Based on available documentation, I believe my squid.conf is correct, >> however it never seems to actually behave as expected. >> >> I define the SSL port, as usual: >> >> acl SSL_ports port 443 >> >> But here's where my confusion lies... Many state to place the following >> line above the ssl_bump configuration lines: >> >> http_access allow SSL_ports >> >> However when I do this, it appears to simply stop processing any other >> rules and allows ALL https traffic through the proxy (which is > actually how >> I'd expect a standard ACL list to operate, but then how do I actually >> filter the traffic though our content-based ACL lists?). If I put the >> above line below the ssl_bump configuration options in my squid.conf, then >> it appears to BUMP all, even though I've told the config to SPLICE all >> https traffic, which doesn't work for our deployment. >> >> So, does squid actually continue to process the https traffic using the >> ssl_bump rules if the "http_access allow SSL_ports" line is placed > above it >> in the configuration? >> >> I should note that we've been able to get filtering to work correctly when >> using our configuration in NON-transparent mode, however our goal is get >> this functionality working as a transparent proxy. We're unable to load >> our self-signed cert onto client machines that will be accessing the > proxy, >> so using the "bump" or man-in-the-middle style https filtering isn't a >> viable option for us. >> >> Any help or advice is appreciated! >> >> Thanks, >> >> Tom > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVitn5AAoJENNXIZxhPexGseIH/0Mex6B035vuH5/c/Ui5+az5 glsYSK8AzGGyQNkAvlKQ0xNe+0DrpC96tToafdPee1yyD3mp8U4ftFgb6xOHnfNt DlFo7oWMJt7xhXyN9oJgwzEDLvfvwQ/YcoPWLmAw0vPcJ9WgIPMLY2Mvpsy/vHnb dEfBvshk5PvbRwFD/WIbm4dU3x0eIPyHp/M5JG0yi0jVTOmUfbFhqXttGQTnOwl4 d+b8uubNmcOGH5Di2j7wTfT9LFV4o8ijy5oM1WvVRuHNXe/YIY96Gt1v3Hm10Qeu 49PPFTbDiYsJ/39HQ6MfDyhGy3tlWNVY1E5CIV8teVi6P+3ew2nUJw1pQGiawqk= =SwDm -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
