X-Mail-List: ufdbGuard
Hi Cleberson,
I am not sure how to interpret "to be blocked when they access via CONNECT"...
In a mixed environment with transparent intercept (which has no CONNECT,
but Squid generates a fake CONNECT for ufdbGuard) and a forward proxy
(which has a CONNECT) ufdbGuard receives real CONNECTs and fake CONNECTs.
For a forward proxy, if a connection is bumped, ufdbGuard receives
CONNECT www.example.com
GET https://www.example.com/index.html
If a connection is spliced, ufdbGuard only receives
CONNECT www.example.com
To complicate things, for transparent intercept, Squid does not send the
FQDN but the IP with the fake CONNECT. So it becomes:
if a connection is bumped, ufdbGuard receives
CONNECT IP.AD.DR.ESS
GET https://www.example.com/index.html
If a connection is spliced, ufdbGuard only receives
CONNECT IP.AD.DR.ESS
And this complicates things a lot since filtering on IP address is prone
to errors since IP addresses can be shared by many domains.
There is an issue with blocking: blocking a CONNECT will display
errors in a browser that a regular end user does not understand,
so ufdbGuard usually does not block a CONNECT but waits for the
GET https://www.example.com/index.html
which it can block while being able to display an understandable
error message to the end user.
The category-specific option block-on-connect was introduced to
block a category where it is known that it does not use plain HTTPS
(TLS-encrypted HTTP) but some other protocol which Squid does
not understand and does not forward anything to ufdbGuard.
In other words, the CONNECT must be blocked since there will never be
a GET https://example.com.
An example of such category is Skype.
The manual has an error and section 8.1.1 should have this:
squid-uses-active-bumping on
...
category skype {
domainlist chat/skype/domains
option block-on-connect on
option allow-skype-over-https off
}
Marcus
On 25/01/17 11:18, Cleberson Vieira wrote:
> X-Mail-List: ufdbGuard
>
>
>
> Hi Marcus,
>
> Your statement about acls represents my current scenario.
>
> About proxy mode, I use the two modes. But what could that influence?
>
> Is there any valid option to replace does not exist "block-on-connect"?
>
> Best regards,
>
> Cleberson Vieira
>
>
> Em 25-01-2017 10:53, Marcus Kool escreveu:
>> X-Mail-List: ufdbGuard
>> Hi Cleberson,
>>
>> I understand that you use Squid with ssl_bump in a mixed mode with acls that
>> peek, bump and/or splice.
>>
>> Do you have transparent interception or forward proxy mode?
>>
>> Thanks
>> Marcus
>>
>>
>> On 25/01/17 09:57, Cleberson Vieira wrote:
>>> X-Mail-List: ufdbGuard
>>>
>>>
>>>
>>> Hi everyone,
>>>
>>> Could someone help me in this problem?
>>>
>>> Best regards,
>>>
>>> Cleberson Vieira
>>>
>>> Em 23-01-2017 12:54, Cleberson Vieira escreveu:
>>>> X-Mail-List: ufdbGuard
>>>>
>>>>
>>>> Hi everyone,
>>>>
>>>> The reference manual, item (8.1.1 Active HTTPS Bumping with ufdbGuard)
>>>> specifies the "block-on-connect" option. This option does not exist in
>>>> ufdbGuard.conf.
>>>>
>>>> I would like sites configured in squid like no_bump (splice), such as
>>>> banks and social networks, to be blocked when they access via CONNECT.
>>>>
>>>> The "block-bumped-connect on" option also did not work.
>>>>
>>>> Is there any option for this situation?
>>>>
>>>> Best regards,
>>>>
>>>> Cleberson Vieira
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>
>>>>
>>>> _______________________________________________
>>>> ufdbGuard-support mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> ufdbGuard-support mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> ufdbGuard-support mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> ufdbGuard-support mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
