On 21 April 2016 at 23:14, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/21/2016 01:59 PM, Odhiambo Washington wrote:
> On 21 April 2016 at 22:04, Amos Jeffries wrote:
>
> On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:
> > I have now changed to *configurations suggested specifically for your use
> > case, on this email thread* :)
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump stare all
> > ssl_bump bump all
> No the "stare" being done will prevent splice and you will see breakage
> or unexpected things again.
> You have to replace 'stare' with 'peek' AND replace 'bump' with
> 'splice'.
> Like below???
> acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> ssl_bump splice no_ssl_interception
> ssl_bump peek all
> ssl_bump splice all
Logging aside, your latest random configuration is equivalent to
ssl_bump splice all
which means you are better off not intercepting SSL at all, which brings
us back to the old question: What do you want Squid to do?
If I could intercept SSL and do nothing EXCEPT subject the domains to time ACLs, that'd be all. I do not need any bumping to be precise.
I just want the data passing through squid for me to determine who is allowed to access it and at what time.
I do have time ACLs, which I use in conjunction with MAC ACLs and certain domain, like facebook.com. Right now I rely on destdomain to identify the domains.
With domains using SSL, I cannot use destdomain, right? Let me demonstrate with config snippets from my squid.conf, perhaps that would explain it better and maybe I will find a better easier way out that this ssl_bump monster:-)
acl TIMEweekdaysALLDAY time MTWHF 09:00-17:00 acl TIMEafterhoursMORN time MTWHF 00:00-09:00 acl TIMElunch time MTWHF 12:00-13:59 acl TIMEafterhoursAFT time MTWHF 14:30-23:59 acl TIMEsatMORN time A 00:00-07:00 acl TIMEsatAFT time A 11:00-23:59 acl TIMEsatALLDAY time A 00:00-23:59 acl TIMEsundALLDAY time S 00:00-23:59
# Internet Access Regulation # Some privileged staff - can browse unrestricted acl privileged-staff arp "/usr/local/etc/squid/privileged_mac_addresses.txt"
# Sites staff waste all their time on - Social Networks, streaming sites, etc acl TIMEWASTAGESITES dstdomain "/usr/local/etc/squid/time_wastage_sites.txt"# TIMEWASTAGESITES http_access allow TIMEWASTAGESITES privileged-staff http_access allow TIMEWASTAGESITES TIMElunch http_access allow TIMEWASTAGESITES TIMEafterhoursAFT http_access allow TIMEWASTAGESITES TIMEafterhoursMORN http_access allow TIMEWASTAGESITES TIMEsatALLDAY http_access allow TIMEWASTAGESITES TIMEsundALLDAY http_access deny TIMEWASTAGESITES
Now, the above used to work until facebook.com, youtube.com, and others switched to HTTPS. After that it wasn't possible for me to control access to them.
So really, all I want is the ability to intercept SSL and subject it to those time ACLs for a class of users. Nothing more.
If you want Squid to not intrude except when terminating prohibited
traffic, then start with this sketch:
ssl_bump terminate prohibited_traffic
ssl_bump peek all
ssl_bump splice all
Lemme see if I understand this. I have a problem wrapping my head around 'terminate' (as a terminology, maybe) and 'prohibited_traffic' (also as a terminology).
So, are you saying that prohibited_traffic here is something like:
acl TIMEWASTAGE_SSL ssl::server_name "/usr/local/etc/squid/time_wastage_SSL_sites.txt"
And in that file I have
...
Then I just apply my usual time ACLs..
http_access allow TIMEWASTAGESITES_SSL privileged_staff
http_access allow TIMEWASTAGESITES_SSL TIMElunch
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES_SSL TIMEsatALLDAY
http_access allow TIMEWASTAGESITES_SSL TIMEsundALLDAY
http_access deny TIMEWASTAGESITES_SSL
That is more like all I want - use ssl::server_name instead of dstdomain. The sites are NOT prohibited per se, and 'terminate' kinda scares me. I need to RTFM about this 'terminate' again and again until I can sing it:)
If you want Squid to intrude (where possible) and block prohibited
traffic, then install your CA certificates on all user devices and start
with this sketch:
ssl_bump splice things_that_are_impossible_to_bump
ssl_bump stare all
ssl_bump bump all
http_access deny prohibited_traffic
Alex.
I actually believe I do not need any mention of ssl_bump, but the confusion for me arises out of TWO things:
1. In my firewall (FreeBSD PF), redirecting traffic destined to port 443 via squid wasn't an option prior to the intruduction of the SSL interception, right?
2. In squid.conf, I did not yet figure out if I can use just
https_port 13129 intercept
Instead of
https_ports NNNN intercept ssl-bump ...... ....
I hope this time round I have explained myself well.
Thank you.
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users