On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote: > I've been configured Squid version 3.5.9 and transparent proxy. To do > this. I used the "peek and splice" feature to works with https protocol > in transparent mode. It's works fine. > > There is a "acl" to block some sites, like facebook.com > <http://facebook.com>, linkedin.com <http://linkedin.com>, etc... It's > works fine too. > > acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt" > ssl_bump terminate deny_https_sites > ssl_bump peek all > ssl_bump splice all The above is kind of wrong because it may terminate before learning enough about the connection. You should terminate after peeking: acl ... ssl_bump peek all ssl_bump terminate deny_https_sites ssl_bump splice all Peeking feeds your deny_https_sites ACL with information. Without peeking, that ACL may only have IP addresses to work with (especially in an interception environment). > But, now, I need to do an rule to permit access for specific users, or > ip address. But, I don't know if it's possible with ssl_bump. I tried > somethink like: > > ssl_bump terminate deny_https_sites !permited_ips > > or > > ssl_bump peek deny_https_sites permited_ips > > > There is one way to do this? The first variant is theoretically correct, but I recommend avoiding negation in ACLs: An ACL result is not a boolean "match" or "mismatch". It is actually closer to "match", "mismatch", "do not know", or "error". Negating four values correctly is difficult, and Squid itself has had many bugs in that area. If you can truly identify "specific users" by IP, then do that first (no need to peek): ssl_bump splice permited_ips ssl_bump peek all ssl_bump terminate deny_https_sites ssl_bump splice all If your actual "specific user" ACL needs host name information, then let Squid peek first: ssl_bump peek all ssl_bump splice specific_users ssl_bump terminate deny_https_sites ssl_bump splice all Your questions indicate that you may not understand how Squid evaluates ACL rules. Proceed with caution and try reading a guide book or a good tutorial. The basic single-rule evaluation algorithm is not specific to SslBump (although multiple ssl_bump directives add more complexity). Good luck, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
