James, Yes, as a matter of fact I have read through those exact posts and modeled my config very similarly. What I have found is that, however, when the line "http_access allow SSL_ports" is placed above the ssl_bump stuff and other acl's (as you have it), it seems to simply allow ALL https without doing any filtering whatsoever.
Thanks for the response. --------------------------------- Tom Mowbray *tmowb...@dalabs.com* <tmowb...@dalabs.com> *703-829-6694* On Wed, Jun 24, 2015 at 1:31 PM, James Lay <j...@slave-tothe-box.net> wrote: > On 2015-06-24 09:41 AM, Tom Mowbray wrote: > >> Squid 3.5.5 >> >> I seem to have some confusion about how acl lists are processed in >> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting >> to use ssl_bump directives with transparent proxy. >> >> Based on available documentation, I believe my squid.conf is correct, >> however it never seems to actually behave as expected. >> >> I define the SSL port, as usual: >> >> acl SSL_ports port 443 >> >> But here's where my confusion lies... Many state to place the >> following line above the ssl_bump configuration lines: >> >> http_access allow SSL_ports >> >> However when I do this, it appears to simply stop processing any other >> rules and allows ALL https traffic through the proxy (which is >> actually how I'd expect a standard ACL list to operate, but then how >> do I actually filter the traffic though our content-based ACL lists?). >> If I put the above line below the ssl_bump configuration options in >> my squid.conf, then it appears to BUMP all, even though I've told the >> config to SPLICE all https traffic, which doesn't work for our >> deployment. >> >> So, does squid actually continue to process the https traffic using >> the ssl_bump rules if the "http_access allow SSL_ports" line is placed >> above it in the configuration? >> >> I should note that we've been able to get filtering to work correctly >> when using our configuration in NON-transparent mode, however our goal >> is get this functionality working as a transparent proxy. We're >> unable to load our self-signed cert onto client machines that will be >> accessing the proxy, so using the "bump" or man-in-the-middle style >> https filtering isn't a viable option for us. >> >> Any help or advice is appreciated! >> >> Thanks, >> >> Tom >> > > Tom, > > You kinda have to change the way you think about filtering when it comes > to Squid 3.5.5 and SSL(TLS). Normal http traffic is easy....here's where > we're trying to go and here's a list of place we're alloed to go...simple. > > Not so with SSL(TLS). Squid can't filter, since Squid may or may not know > where we're going...and that's the issue..it's where those ssl_bump atStep > ACL's come in. Some sites when you connect to them are easy-ish..when you > connect your device sends a "Server Name Information" (SNI) that says where > you're going. Other sites don't have any information until you complete > the SSL handshake (how can you filter a site name, until squid KNOWS the > site or at least domain name?). > > If you're still wanting to go through with transparent (intercept) proxy > with SSL, search through the list for my SSL Deep dive posts...that config > is working for me so far (granted, not in an enterprise environment). > However, as Amos said,....if you choose not to install the cert on the > client machines, you are either a) going to be out of luck on LOT'S of > websites because they will fail the SSL handshake, or b) teaching your > users to ignore the security warnings of their browser's....neither of > which is a good thing. > > Hope that helps. > > James > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users