Hi Amos. I wanted to try out the "ssl-bump splice" to send traffic to a peer found in the recent snapshots for 3.5.6/7 to block Google images. I compiled configured and installed the latest 3.5 snapshot and added the directives you listed above to squid.conf but I am not sure I got them right.
acl s1_tls_connect at_step SslBump1
acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
acl nobumpSites ssl::server_name .wellsfargo.com
ssl_bump splice s2_tls_client_hello nobumpSites
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
When restarting Squid and searching in Google images for "sex" it still shows images that I want to be able to block with safesearch.acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
acl nobumpSites ssl::server_name .wellsfargo.com
ssl_bump splice s2_tls_client_hello nobumpSites
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
On Thu, Jul 16, 2015 at 11:24 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 19/05/2015 5:49 a.m., Andres Granados wrote:
> hello!I need help on how to block pornographic images of google, I
> was trying different options and still do not succeed, try:
> http_reply_access with request_header_add, and even with a
> configuration dns, I think is to request_header_add the best, though
> not it has worked for me, I hope your help, is to implement a school,
> thanks!
>
FYI; Christos has added a tweak to the "ssl-bump splice" handling that
permits sending the traffic to a cache_peer configured something like this:
acl example ssl::server_name .example.com
ssl_bump splice example
ssl_bump peek all
cache_peer forcesafesearch.example.com parent 443 0 \
name=GS \
originserver no-query no-netdb-exchange no-digest
acl search dstdomain .example.com
cache_peer_access GS allow search
cache_peer_access GS deny all
The idea being that you can use this on intercepted (or forward-proxy)
HTTPS traffic instead of hacking about with DNS to direct clients at the
servers Google use to present "safe" searching.
This should be available in 3.5.7, or the current 3.5 snaphots.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
