On 03/04/2013 10:11 PM, Amm wrote:
>> # Let user specify domains to avoid decrypting, such as internet banking
>> acl bump-bypass dstdomain .commbank.com.au
>> ssl_bump none bump-bypass
>> ssl_bump server-first all
> This will not work for intercepting traffic. Because domain is known
> only after SSL connection is established. So certificate stage etc
> has already passed.
It will work but only if the reverse DNS lookup for the intercepted IP
address works: ssl_bump supports slow ACLs, and dstdomain is a slow ACL
if given an IP address.
> You should try ACL check based on real IP or IP range. Ofcourse this
> assumes that IP will never change for those banks.
Agreed. And one can combine fast IP-based rules with slower reverse DNS
lookups, of course. Each approach has its own flaws.
> I am also assuming that squid checks IP based ACLs for ssl_bump
> before establishing connection with client.
Squid checks all ssl_bump ACLs before establishing a TCP connection with
the server. The TCP connection from the client is already accepted (or
intercepted) by the time ssl_bump ACL is checked.
> Or you need to create rules at firewall level which will *not* divert
> traffic for those sites to squid.
Agreed. That would be a better alternative to IP-based ssl_bump ACLs.
Thank you,
Alex.
Received on Wed Mar 06 2013 - 00:50:36 MST
This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:04 MST