Re: [squid-users] Bypassing SSL Bump for dstdomain from Amos Jeffries on 2013-03-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 05 Mar 2013 23:09:24 +1300

On 5/03/2013 6:11 p.m., Amm wrote:
>> ________________________________
>> From: Dan Charlesworth <dan_at_getbusi.com>
>> To: squid-users_at_squid-cache.org
>> Sent: Tuesday, 5 March 2013 10:21 AM
>> Subject: [squid-users] Bypassing SSL Bump for dstdomain
>>
>> Hi
>>
>> I've recently set up a very simple Squid 3.3.1 deployment to test out Server First bumping and Mimicking in a REDIRECT type intercept configuration.
>>
>> It's working quite nicely, but I'm trying to accommodate a scenario where an admin would like to disable bumping for certain webistes, for example internet banking ones.
>>
>> I basically have the exact same "ssl_bump" parameters from the config example and yet requests matching the ACL are still being bumped as evidenced by:
>> - The full HTTPS URLs being recorded in the access log.
>> - My client browser continuing to show that the certificate is signed by the squid-signed CA when accessing the dstdomain.
>>
>> I feel like I'm making some obvious mistake here, but can't see the forest right now.
>>
>> ...
>>
>> # Let user specify domains to avoid decrypting, such as internet banking
>> acl bump-bypass dstdomain .commbank.com.au
>>
>> ...
>>
>> ssl_bump none bump-bypass
>> ssl_bump server-first all
>
>
> This will not work for intercepting traffic. Because domain is known only after SSL connection is established. So certificate stage etc has already passed.
>
>
> You should try ACL check based on real IP or IP range. Ofcourse this assumes that IP will never change for those banks.
>
> I am also assuming that squid checks IP based ACLs for ssl_bump before establishing connection with client. (I have personally not tried this setup so can not tell for sure)
>
>
> Or you need to create rules at firewall level which will *not* divert traffic for those sites to squid.
>
> Amm.

Also, Squid tunnel functionality requires a CONNECT wrapper to generate
outgoing connections.
It is not yet setup to do the raw-TCP type of bypass the intercepted
traffic would require.

Amos
Received on Tue Mar 05 2013 - 10:09:45 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:04 MST