Re: [squid-users] Blocking SSL Port does not work

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Jul 2010 23:37:29 +0000

On Tue, 06 Jul 2010 18:25:39 +0100, Alex Crow <alex_at_nanogherkin.com>
wrote:
> On 06/07/10 10:33, Malvin Rito wrote:
>> Thanks. But how can I implement SSLBump to block port 443 for only
>> specific
>> websites such as blocking Proxy Sites which use https?
>>
>
> I'm not clear on SSLBump too. It appears to be documented as a feature
> for passing HTTPS traffic to an ICAP server for further analysis and

It converts incoming CONNECT requests into reverse-proxy HTTPS requests
for Squid to work with the internal encrypted details.

> filtering. However, can it also be used within squid.conf for the
> non-domain part of a url in things like url regex acls, eg on an https
> connection allow or disallow requests containing the word "facebook" or
> the like?

Bit fuzzy what you mean here. But I think so. Once the request is
converted Squid gets access to the encrypted URL and HTTP headers for
access controls.

>
>>
>> If you want to intercept port 443, you should know thatit's called
>> man-in-the-middle attack since the traffic is encrypted between browser
>> and
>> server. While newest squid supports this by using SSLBump feature,
>> browers
>> can detect that you did this because the squid's certificate won't
match
>> the
>> server name.
>>
> I did not think that was the case - does it not generate certs for the
> requested websites on the fly, and if you've installed the CA cert in

Dynamic cert generation is in the pipeline. For now users without CA certs
installed see the HTTPS insecurity popup when they get Squid self-signed
cert.

Intercepting HTTPS without the users knowledge and consent is still
man-in-middle.

> the client browser the only difference the user will notice is that the
> issuer is different to what they get, say, at home?

Yes.

Amos
Received on Tue Jul 06 2010 - 23:37:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 09 2010 - 12:00:04 MDT