On 5/03/2013 6:11 p.m., Amm wrote:
________________________________
From: Dan Charlesworth <d...@getbusi.com>
To: squid-users@squid-cache.org
Sent: Tuesday, 5 March 2013 10:21 AM
Subject: [squid-users] Bypassing SSL Bump for dstdomain
Hi
I've recently set up a very simple Squid 3.3.1 deployment to test out Server
First bumping and Mimicking in a REDIRECT type intercept configuration.
It's working quite nicely, but I'm trying to accommodate a scenario where an
admin would like to disable bumping for certain webistes, for example internet
banking ones.
I basically have the exact same "ssl_bump" parameters from the config example
and yet requests matching the ACL are still being bumped as evidenced by:
- The full HTTPS URLs being recorded in the access log.
- My client browser continuing to show that the certificate is signed by the
squid-signed CA when accessing the dstdomain.
I feel like I'm making some obvious mistake here, but can't see the forest
right now.
...
# Let user specify domains to avoid decrypting, such as internet banking
acl bump-bypass dstdomain .commbank.com.au
...
ssl_bump none bump-bypass
ssl_bump server-first all
This will not work for intercepting traffic. Because domain is known only after
SSL connection is established. So certificate stage etc has already passed.
You should try ACL check based on real IP or IP range. Ofcourse this assumes
that IP will never change for those banks.
I am also assuming that squid checks IP based ACLs for ssl_bump before
establishing connection with client. (I have personally not tried this setup so
can not tell for sure)
Or you need to create rules at firewall level which will *not* divert traffic
for those sites to squid.
Amm.
Also, Squid tunnel functionality requires a CONNECT wrapper to generate
outgoing connections.
It is not yet setup to do the raw-TCP type of bypass the intercepted
traffic would require.
Amos
