Re: [squid-users] reverse proxy - ssl url filtering

Hey alltogether

Unfortunatelly I am still suffering from this problem. Any help would
be greatly appreciated.

Thanks in advance

B. Brandt

On 2012-09-26 14:05, forum_at_benbra.de wrote:
> Hey alltogether
>
> We have the following reverse proxy setup:
>
> Client <--SSL--> Squid <--SSL--> Server
>
> and the important acls look like:
>
> https_port 443 accel cert=/usr/local/squid/certs/cert.pem
> key=/usr/local/squid/certs/key.pem defaultsite=example.org
> clientca=/usr/local/squid/certs/cacert.pem
> cafile=/usr/local/squid/certs/cacert.pem
> capath=/usr/local/squid/certs/ sslcontext=id
>
> cache_peer xxx.xxx.xxx.xxx parent 443 0 no-query originserver
> login=PASS ssl sslflags=DONT_VERIFY_PEER
> sslcert=/usr/local/squid/certs/exchange.crt
> sslkey=/usr/local/squid/certs/nopassexchange.key name=exchange_peer
>
> So as you can see the client uses ssl and a client certificate as
> authentication to connect to squid. Now we wanted to do some url
> filtering:
>
> acl exchange_dirs urlpath_regex
> (\/owa|\/Autodiscover|\/Microsoft-Server-ActiveSync)
> acl exchange_base_url url_regex ^https://example.org
> http_access allow exchange_dirs exchange_base_url
> http_access deny all
>
> However as you might already guess its not working and I am wondering
> why. From my understanding, there is an SSL connection from Client to
> Squid and an SSL connection from Squid to Server. Squid encrypts and
> decrypts in the middle. Therefore squid schould be able to do the url
> filtering.
>
> However the observed behviour is, that URL filtering works as long as
> the user has NOT authenticated itself with its client CA. However
> after the user authentication, the user can browse every url within
> example.org. As if there were a direkt ssl connection between Client
> and Server.
>
> Do we need to set the ssl-bump option? And if yes why? Isn't squid
> already doing encryption and decryption?
>
> Thanks in advance
>
> B. Brandt
Received on Mon Oct 01 2012 - 23:27:19 MDT