Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V
I'm thinking of adding a routine to cron to restart squid as soon as lunch
break ends.
Is there any other less invasive way to reset an ssl connection and force
another CONNECT to squid?

Em qua, 7 de fev de 2018 às 12:22, Amos Jeffries 
escreveu:

> On 08/02/18 02:50, Danilo V wrote:
> > I'm not using SSL intercept configuration. Now i see is required, even
> > for explicit mode.
>
> Only because you want *Squid* to be the process controlling HTTPS
> things. If you did the controls at the network traffic level (eg
> iptables, pf) instead then you would not have to worry about these type
> of differences.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Time acl not working

2018-02-07 Thread Amos Jeffries
On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V
I'm not using SSL intercept configuration. Now i see is required, even for
explicit mode.
Thank you for explanation.

Danilo




Em qua, 7 de fev de 2018 às 11:00, Amos Jeffries 
escreveu:

>
> On 08/02/18 01:37, Danilo V wrote:
> > - Squid.conf:
> >
> > /http_port 3128
> > /
> > /acl social dstdomain -i .facebook.com  .fbcdn.net
> >  .twitter.com 
> > /
> > /acl LUNCH time 12:00-13:00/
> > /http_access allow social LUNCH/
> > /http_access deny social/
> >
> > 1. Adjust time in acl to your local test time.
> > 2. Open facebook and twitter tabs in browser within allowed hours.
> > 3. Once the interval expires try to scroll pages down or click internal
> > links.
> > 4. It's still working here. :-(
> >
>
> So what https_port and/or SSL-Bump settings do you use to actually
> access the HTTPS requests?
>
> Without either explicit TLS or SSL-Bump there is only an initial CONNECT
> tunnel setup. The time ACLs are applied at that point and HTTP ends once
> the tunnel starts. No ACLs or other checking is possible on the TCP
> connection.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Time acl not working

2018-02-07 Thread Amos Jeffries

On 08/02/18 01:37, Danilo V wrote:
> - Squid.conf:
> 
> /http_port 3128
> /
> /acl social dstdomain -i .facebook.com  .fbcdn.net
>  .twitter.com 
> /
> /acl LUNCH time 12:00-13:00/
> /http_access allow social LUNCH/
> /http_access deny social/
> 
> 1. Adjust time in acl to your local test time.
> 2. Open facebook and twitter tabs in browser within allowed hours.
> 3. Once the interval expires try to scroll pages down or click internal
> links.
> 4. It's still working here. :-(
> 

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Time acl not working

2018-02-07 Thread Danilo V
- Squid.conf:


*http_port 3128*

*acl social dstdomain -i .facebook.com  .fbcdn.net
 .twitter.com *
*acl LUNCH time 12:00-13:00*
*http_access allow social LUNCH*
*http_access deny social*

1. Adjust time in acl to your local test time.
2. Open facebook and twitter tabs in browser within allowed hours.
3. Once the interval expires try to scroll pages down or click internal
links.
4. It's still working here. :-(

Best,
Danilo

Em qua, 7 de fev de 2018 às 09:16, Antony Stone <
antony.st...@squid.open.source.it> escreveu:

> On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:
>
> > Hello all, time acl is not working for dynamic HTTPS pages such as social
> > networks.
> >
> > I set it to release any content during lunch time. In this period
> > everything works, but when the interval expires, the already open network
> > media pages continue to receive updates and are not blocked as expected.
> On
> > the other hand HTTP pages and some static HTTPS do not occur this
> problem.
> >
> > The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> > and in sites such as Facebook, Twitter and Instagram.
> >
> > The problem is very simple to simulate. The only workaround found is to
> > restart the squid.
> >
> > Can someone help me?
>
> Show us how to reproduce the problem.
>
>
> Antony.
>
> --
> Users don't know what they want until they see what they get.
>
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


Re: [squid-users] Time acl not working

2018-02-07 Thread Antony Stone
On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
> 
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
> 
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
> 
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
> 
> Can someone help me?

Show us how to reproduce the problem.


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users