Re: [squid-users] Bypassing SSL Bump for dstdomain

From: Dan Charlesworth <dan_at_getbusi.com>
Date: Wed, 6 Mar 2013 09:12:54 +1100

Cool -- thanks folks. That makes sense.

I guess if the situation is ever called for, IPs will have to suffice.

On 05/03/2013, at 9:09 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:

> On 5/03/2013 6:11 p.m., Amm wrote:
>>> ________________________________
>>> From: Dan Charlesworth <dan_at_getbusi.com>
>>> To: squid-users_at_squid-cache.org
>>> Sent: Tuesday, 5 March 2013 10:21 AM
>>> Subject: [squid-users] Bypassing SSL Bump for dstdomain
>>>
>>> Hi
>>>
>>> I've recently set up a very simple Squid 3.3.1 deployment to test out Server First bumping and Mimicking in a REDIRECT type intercept configuration.
>>>
>>> It's working quite nicely, but I'm trying to accommodate a scenario where an admin would like to disable bumping for certain webistes, for example internet banking ones.
>>>
>>> I basically have the exact same "ssl_bump" parameters from the config example and yet requests matching the ACL are still being bumped as evidenced by:
>>> - The full HTTPS URLs being recorded in the access log.
>>> - My client browser continuing to show that the certificate is signed by the squid-signed CA when accessing the dstdomain.
>>>
>>> I feel like I'm making some obvious mistake here, but can't see the forest right now.
>>>
>>> ...
>>>
>>> # Let user specify domains to avoid decrypting, such as internet banking
>>> acl bump-bypass dstdomain .commbank.com.au
>>>
>>> ...
>>>
>>> ssl_bump none bump-bypass
>>> ssl_bump server-first all
>>
>>
>> This will not work for intercepting traffic. Because domain is known only after SSL connection is established. So certificate stage etc has already passed.
>>
>>
>> You should try ACL check based on real IP or IP range. Ofcourse this assumes that IP will never change for those banks.
>>
>> I am also assuming that squid checks IP based ACLs for ssl_bump before establishing connection with client. (I have personally not tried this setup so can not tell for sure)
>>
>>
>> Or you need to create rules at firewall level which will *not* divert traffic for those sites to squid.
>>
>> Amm.
>
> Also, Squid tunnel functionality requires a CONNECT wrapper to generate outgoing connections.
> It is not yet setup to do the raw-TCP type of bypass the intercepted traffic would require.
>
> Amos
Received on Tue Mar 05 2013 - 22:13:05 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:04 MST