On 04/20/2016 04:18 PM, Odhiambo Washington wrote: > On 21 April 2016 at 00:11, Alex Rousskov wrote: > > On 04/20/2016 02:22 PM, Odhiambo Washington wrote: > > > All I want is the ability to intercept SSL sites and control access to > > them using TIME ACLs. That's all. You also want to serve custom errors over encrypted connections. That is a huge addition to the above "all". > If you are OK with terminating the prohibited connection (no > error messages explaining company policy sent by Squid to your users!), > then yes: > > ssl_bump terminate restricted_sites > ssl_bump peek all > ssl_bump splice all > > > > What I would like is: > > 1. that squid is able to 'see' that *userX* is trying to visit > https://www.facebook.com > 2. but at that particular time (time ACL) *userX* is not allowed to go > to facebook.com <http://facebook.com>, so squid denies access, throws a > default error on their browser Serving a Squid-generated error over [what the browser believes is] a secure connection to the _origin server_ requires bumping that connection. Bumping (as opposed to splicing) implies installing company root certificates and many other headaches. In other words, your desire to immediately inform the user about the denied access opens a Pandora box and adds a whole new order of complexity (or two) to the project. Instant gratification is very important these days, but there are probably alternatives to serving error pages over bumped connections. The simplest to implement might be something like sending a "you have been blocked" email to the offending user (from the blocking ACL script), but one can think of a lot fancier notification vectors than that. > The time logic is already built in squid.conf. All that remains is just > intercept https traffic and let the time acls decide whether or not a > user can get there. ... and bump the supposedly secure connection to serve the error page if the user cannot get there. > So allow me to ask: in *ssl_bump terminate restricted_sites, * I am lost > as to what restricted_sites represent. It is an ACL that represents your "access control" logic. It is too boring/standard to discuss while we are talking about SslBump. I am sure you can define it (yourself or with help from this mailing list). If you allow me an analogy, discussing that ACL is like discussing the color of the paint on the atomic bomb. I am sure you will find a nice color scheme eventually, but I am more concerned about your users staying alive after you drop it on them. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users