Re: [squid-users] Bypassing SSL Bump for dstdomain

From: Amm <ammdispose-squid_at_yahoo.com>
Date: Tue, 5 Mar 2013 13:11:41 +0800 (SGT)

>________________________________ > From: Dan Charlesworth <dan_at_getbusi.com> >To: squid-users_at_squid-cache.org >Sent: Tuesday, 5 March 2013 10:21 AM >Subject: [squid-users] Bypassing SSL Bump for dstdomain > >Hi > >I've recently set up a very simple Squid 3.3.1 deployment to test out Server First bumping and Mimicking in a REDIRECT type intercept configuration. > >It's working quite nicely, but I'm trying to accommodate a scenario where an admin would like to disable bumping for certain webistes, for example internet banking ones. > >I basically have the exact same "ssl_bump" parameters from the config example and yet requests matching the ACL are still being bumped as evidenced by: >- The full HTTPS URLs being recorded in the access log. >- My client browser continuing to show that the certificate is signed by the squid-signed CA when accessing the dstdomain. > >I feel like I'm making some obvious mistake here, but can't see the forest right now. > >... > ># Let user specify domains to avoid decrypting, such as internet banking >acl bump-bypass dstdomain .commbank.com.au > > ... > >ssl_bump none bump-bypass >ssl_bump server-first all This will not work for intercepting traffic. Because domain is known only after SSL connection is established. So certificate stage etc has already passed. You should try ACL check based on real IP or IP range. Ofcourse this assumes that IP will never change for those banks. I am also assuming that squid checks IP based ACLs for ssl_bump before establishing connection with client. (I have personally not tried this setup so can not tell for sure) Or you need to create rules at firewall level which will *not* divert traffic for those sites to squid. Amm.
Received on Tue Mar 05 2013 - 05:11:51 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:04 MST