Search squid archive

Re: Checking SSL bump status in http_access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/16/2016 05:12 PM, Amos Jeffries wrote:
> On 17/08/2016 2:22 a.m., Steve Hill wrote:
>> Is there a way of figuring out if the current request is a bumped
>> request when the http_access ACL is being checked?  i.e. can we tell the
>> difference between a GET request that is inside a bumped tunnel, and an
>> unencrypted GET request?


> In Squid-3 a combo of the myportname and proto ACLs should do that.
> 
> In Squid-4 the above, or the connections_encrypted ACL type.


In both cases, please be extra careful with CONNECT requests (real or
fake) that precede bumped traffic but also go through http_access rules
and with unencrypted https:// requests that some Squids may receive.

Since bumping is not a instantaneous decision but a long process,
possibly involving several CONNECT requests, and since other traffic,
especially in complicated deployments can have properties similar to
bumped requests, it is often difficult to write correct "this HTTP
request was bumped" ACLs.

This configuration problem should be at least partially addressed by the
upcoming annotate_transaction ACLs inserted into ssl_bump rules:
http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux