Search squid archive

req_header acl with ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

 

We are attempting to leverage headers to isolate access to external sites with squid 4.14. The Loadbalencer is injecting headers and squid is simply verifying them:

 

acl ACL_HDR_1 req_header Repo_Svr_VerifiedHdr True

acl REPO_DST_ALLOW dstdomain "/etc/squid/acls.d/hosts.acl"

http_access allow                           PROXY-SRC REPO_DST_ALLOW ACL_HDR_1

 

We are currently decrypting this traffic and it’s working well.

 

Now we have a requirement to skip ssl decrypt for only certain destinations. My thought was to simply create a separate ACL where skipping ssl decrypt is required and add the header ACL to the end of the ssl_bump directive like so:

 

acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True

acl Repo_SkipSslDecrypt dstdomain "/etc/squid/acls.d/hosts.acl"

ssl_bump none Repo_SkipSslDecrypt  Repo_Skip_HDR

 

This parsed successfully but did not have the desired effect. The squid is still inspecting the traffic even with the header present as we can see in the logs. Making things a little more complex, the ssl_bump directive seems to have a global effect and also imply “http_access allow” making it difficult isolate access. To get around this I thought to simply skip ssl decrypt for the traffic with verified headers:

 

acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True

ssl_bump none Repo_Skip_HDR

 

Unfortunately even this isn’t working, again the config checks out and runs happily, we see the header in the logs, but squid still tries to inspect the traffic.

 

Any thoughts on why ssl_bump would ignore the header ACL or other suggestions to isolate traffic when being required to skip ssl decrypt would be greatly appreciated.

 

Thanks in advance.

 

Regards,

Matt Toler

 

 

 

 

 

 

 

 

 

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux