On 20 April 2016 at 18:38, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/20/2016 08:16 AM, Odhiambo Washington wrote:
> I even wonder if this config is correct:
>
> acl ssl_bump_broken_sites dstdomain ...
> ssl_bump none ssl_bump_broken_sites
> ssl_bump peek step1
> ssl_bump stare step2
> ssl_bump bump all
You did not say what you want Squid to do, so it is difficult to say
whether the config is correct. However, the following combinations look
strange to me:
* old "none" and new "peek" actions; use "splice" instead of "none"
* sometimes contradictory "peek" and "stare" actions; pick one kind
* sometimes contradictory "peek" and "bump" actions; if you intend to
bump, use "stare"
Also, you may want to use ssl::server_name ACL instead of dstdomain.
Remember that Squid may have no domain information until it is too late
to splice. Here is a polished config that may or may not do what you want:
# Bump aggressively, including discovered-too-late broken_sites:
acl ssl_bump_broken_sites ssl::server_name ...
ssl_bump splice ssl_bump_broken_sites
ssl_bump stare all
ssl_bump bump all
Hi Alex,
Thank you for looking into and advising about this. I really do not want to get intrusive on the setup.
All I want is the ability to intercept SSL sites and control access to them using TIME ACLs. That's all.
Sites should be accessed without any interference apart from determining at what time they can be
accessed by certain restricted users. Think about restricting facebook.com, youtube.com, etc which
otherwise I would not have control over in a normal intercept. That's the only reaon I need this ssl_bump stuff.
So in simple:
1. UserX tries to access facebook.com/youtube.com
2. I intercept transparently https traffic
3. I tell squid "don't allow this user to access facebook.com at this time, but let them access at some-other-time
4. If time is right, let userX access the site.
I still need to wrap my hear around thise 'stare' and 'peek' and what happens with them.
> I had to import my CA to all devices (as a trusted CA) on
> the network so that they don't get the MITM notification. [...] People
> don't like intrusive changes.
"ssl_bump bump" implies intrusiveness. You need to decide whether
bumping connections is important enough to be intrusive. The alternative
is passive monitoring/splicing that does not require intrusive changes
but gives you less control. Pick your poison.
Alex.
So looks like all I need is a setup of passive monitoring, given my explanation above, right?
Don't bump, just monitor and restrict access to some users based on time. Generally I want to
control access to those sites users usually waste time on during work hours:-)
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
