Thanks for your reply Alex,
I understood your considerations. Maybe, I really didn't understand very well how the SslBump works, the differences between peek and splice and steps SslBump1, 2 and 3.I'm searching and studing about this last two days, and I need to undertand better about this questions.
acl after_work time MTWHFAS 18:00-21:00
ssl_bump terminate deny_https_sites !after_work
2015-10-29 20:35 GMT-02:00 Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote:
> I've been configured Squid version 3.5.9 and transparent proxy. To do
> this. I used the "peek and splice" feature to works with https protocol
> in transparent mode. It's works fine.
>
> There is a "acl" to block some sites, like facebook.com
> <http://facebook.com>, linkedin.com <http://linkedin.com>, etc... It's
> works fine too.
>
> acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt"
> ssl_bump terminate deny_https_sites
> ssl_bump peek all
> ssl_bump splice all
The above is kind of wrong because it may terminate before learning
enough about the connection. You should terminate after peeking:
acl ...
ssl_bump peek all
ssl_bump terminate deny_https_sites
ssl_bump splice all
Peeking feeds your deny_https_sites ACL with information. Without
peeking, that ACL may only have IP addresses to work with (especially in
an interception environment).
> But, now, I need to do an rule to permit access for specific users, or
> ip address. But, I don't know if it's possible with ssl_bump. I tried
> somethink like:
>
> ssl_bump terminate deny_https_sites !permited_ips
>
> or
>
> ssl_bump peek deny_https_sites permited_ips
>
>
> There is one way to do this?
The first variant is theoretically correct, but I recommend avoiding
negation in ACLs: An ACL result is not a boolean "match" or "mismatch".
It is actually closer to "match", "mismatch", "do not know", or "error".
Negating four values correctly is difficult, and Squid itself has had
many bugs in that area.
If you can truly identify "specific users" by IP, then do that first (no
need to peek):
ssl_bump splice permited_ips
ssl_bump peek all
ssl_bump terminate deny_https_sites
ssl_bump splice all
If your actual "specific user" ACL needs host name information, then let
Squid peek first:
ssl_bump peek all
ssl_bump splice specific_users
ssl_bump terminate deny_https_sites
ssl_bump splice all
Your questions indicate that you may not understand how Squid evaluates
ACL rules. Proceed with caution and try reading a guide book or a good
tutorial. The basic single-rule evaluation algorithm is not specific to
SslBump (although multiple ssl_bump directives add more complexity).
Good luck,
Alex.
--
Rodrigo Lima - rodrigodlima[at]gmail[dot]com
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
