Cool -- thanks folks. That makes sense. I guess if the situation is ever called for, IPs will have to suffice.
On 05/03/2013, at 9:09 PM, Amos Jeffries <[email protected]> wrote: > On 5/03/2013 6:11 p.m., Amm wrote: >>> ________________________________ >>> From: Dan Charlesworth <[email protected]> >>> To: [email protected] >>> Sent: Tuesday, 5 March 2013 10:21 AM >>> Subject: [squid-users] Bypassing SSL Bump for dstdomain >>> >>> Hi >>> >>> I've recently set up a very simple Squid 3.3.1 deployment to test out >>> Server First bumping and Mimicking in a REDIRECT type intercept >>> configuration. >>> >>> It's working quite nicely, but I'm trying to accommodate a scenario where >>> an admin would like to disable bumping for certain webistes, for example >>> internet banking ones. >>> >>> I basically have the exact same "ssl_bump" parameters from the config >>> example and yet requests matching the ACL are still being bumped as >>> evidenced by: >>> - The full HTTPS URLs being recorded in the access log. >>> - My client browser continuing to show that the certificate is signed by >>> the squid-signed CA when accessing the dstdomain. >>> >>> I feel like I'm making some obvious mistake here, but can't see the forest >>> right now. >>> >>> ... >>> >>> # Let user specify domains to avoid decrypting, such as internet banking >>> acl bump-bypass dstdomain .commbank.com.au >>> >>> ... >>> >>> ssl_bump none bump-bypass >>> ssl_bump server-first all >> >> >> This will not work for intercepting traffic. Because domain is known only >> after SSL connection is established. So certificate stage etc has already >> passed. >> >> >> You should try ACL check based on real IP or IP range. Ofcourse this assumes >> that IP will never change for those banks. >> >> I am also assuming that squid checks IP based ACLs for ssl_bump before >> establishing connection with client. (I have personally not tried this setup >> so can not tell for sure) >> >> >> Or you need to create rules at firewall level which will *not* divert >> traffic for those sites to squid. >> >> Amm. > > Also, Squid tunnel functionality requires a CONNECT wrapper to generate > outgoing connections. > It is not yet setup to do the raw-TCP type of bypass the intercepted traffic > would require. > > Amos
