I forgot to put the emphasis on one thing. I did not change my squid.conf or my ACLs. The only difference is in the ssl_bump configuration directives. If I have this: acl AllowTroublesome ssl::server_name .google.com .gmail.com acl DenyTroublesome ssl::server_name mail.google.com http_access deny DenyTroublesome ssl_bump peek all ssl_bump splice AllowTroublesome ssl_bump bump all then access to https://mail.google.com is allowed when I was hoping to block it. If I replace the above snippet with this: ssl_bump stare all ssl_bump bump all then access to https://mail.google.com is blocked as expected. The above puzzles me since I haven't changed anything else. If I had an http_access rule that allowed the transaction to take place then I would expect it to happen regardless of the ssl_bump directive. Alex, you mention the SSLPeekAndSplice web page. I'll try to sum it up in just a few lines (correct me if I'm wrong): - peek implies splice which means you can't do content analysis (as in scan for threats via c-icap modules) - stare implies bump which means you can do content analysis - you don't need to stare, you can just bump - you need to stare before bump if you want the clients to accept a certificate with domain names instead of IP addresses - you can bump first by ACLs and then splice the rest - you can bump after peek but only if you do that at SslBump1 I'm asking this because the wiki page isn't all that clear to me. Especially the "Bump All Sites Except Banks" example where the next phrase contradicts the title by saying that the requests to non-banks won't be bumped. Anyway, I'm only interested in bumping as much as possible so I can scan content for threats. So Amos, here goes my full squid.conf: # grep -v ^# squid.conf | grep -v "^\$" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/squid.custom.rules http_access allow localhost http_access deny all coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # grep -v ^# squid.custom.rules | grep -v "^\$" http_port 3128 http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/prx1.mydomain.org@xxxxxxxxxxxx auth_param negotiate children 60 auth_param negotiate keep_alive on auth_param basic realm MYORG proxy acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl FHM_all proxy_auth REQUIRED acl explicit myportname 3128 acl intercepted myportname 3129 acl interceptedssl myportname 3130 acl interceptednormal myportname 3131 acl interceptedsslnormal myportname 3132 acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips" acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups" acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains" acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads" acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes" acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips" acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups" acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains" http_access deny restricted_ips !restricted_domains http_access deny restricted_groups !restricted_domains http_access deny denied_domains !allowed_groups !allowed_ips http_access deny CONNECT denied_domains !allowed_groups !allowed_ips http_access deny denied_ads !allowed_groups !allowed_ips http_access deny denied_filetypes !allowed_groups !allowed_ips http_access deny explicit !FHM_all http_access deny intercepted !localnet http_access deny interceptedssl !localnet http_access deny interceptedsslnormal !localnet http_access deny interceptednormal !localnet cache_mgr it@xxxxxxxxxxxx email_err_data on error_directory /usr/share/squid/errors/MYORG append_domain .mydomain.org sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB sslcrtd_children 10 reply_header_access Alternate-Protocol deny all ssl_bump stare all ssl_bump bump all icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav adaptation_access squidclamav allow all include /etc/squid/squid.custom.common include /etc/squid/squid.custom.hide cache_dir diskd /var/cache/squid 100 16 256 http_access allow localnet # grep -v ^# squid.custom.common | grep -v "^\$" cache_mgr it@xxxxxxxxxxxx email_err_data on error_directory /usr/share/squid/errors/MYORG # grep -v ^# squid.custom.hide | grep -v "^\$" httpd_suppress_version_string on dns_v4_first on via off forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all Do you require the full ACLs too? # grep google /usr/local/share/proxy-settings/* /usr/local/share/proxy-settings/denied.domains:play.google.com /usr/local/share/proxy-settings/denied.domains:mail.google.com Note that the above configuration correctly blocks access to https://mail.google.com. It also allows access to https://accounts.google.com and I can enter my Google username. However, I cannot press "the Next button" to enter the password. I could try to study the web page's source code but at a first glance: 1) Google login works fine if I by-pass the Squid proxy or if I use "ssl_bump splice". 2) I am not denying access to any Google service except for "play" and "mail". Not being able to press "the Next button" is what I meant by "unreported error" in my previous e-mail. It is easy to reproduce with my squid.conf. Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
