Thanks for your reply Alex, I understood your considerations. Maybe, I really didn't understand very well how the SslBump works, the differences between peek and splice and steps SslBump1, 2 and 3.
I'm searching and studing about this last two days, and I need to undertand better about this questions. There's a way to join ssl_bump + a simple acl? Basicly, I would like to permit access to some sites, like facebbok, linkedin, for example. during a period of day time, for example: acl after_work time MTWHFAS 18:00-21:00 ssl_bump terminate deny_https_sites !after_work Thanks, 2015-10-29 20:35 GMT-02:00 Alex Rousskov <[email protected]>: > On 10/29/2015 04:09 PM, Rodrigo de Lima Silva wrote: > > > I've been configured Squid version 3.5.9 and transparent proxy. To do > > this. I used the "peek and splice" feature to works with https protocol > > in transparent mode. It's works fine. > > > > There is a "acl" to block some sites, like facebook.com > > <http://facebook.com>, linkedin.com <http://linkedin.com>, etc... It's > > works fine too. > > > > acl deny_https_sites ssl::server_name_regex "/etc/squid/https_url.txt" > > ssl_bump terminate deny_https_sites > > ssl_bump peek all > > ssl_bump splice all > > > The above is kind of wrong because it may terminate before learning > enough about the connection. You should terminate after peeking: > > acl ... > > ssl_bump peek all > ssl_bump terminate deny_https_sites > ssl_bump splice all > > Peeking feeds your deny_https_sites ACL with information. Without > peeking, that ACL may only have IP addresses to work with (especially in > an interception environment). > > > > But, now, I need to do an rule to permit access for specific users, or > > ip address. But, I don't know if it's possible with ssl_bump. I tried > > somethink like: > > > > ssl_bump terminate deny_https_sites !permited_ips > > > > or > > > > ssl_bump peek deny_https_sites permited_ips > > > > > > There is one way to do this? > > > The first variant is theoretically correct, but I recommend avoiding > negation in ACLs: An ACL result is not a boolean "match" or "mismatch". > It is actually closer to "match", "mismatch", "do not know", or "error". > Negating four values correctly is difficult, and Squid itself has had > many bugs in that area. > > > If you can truly identify "specific users" by IP, then do that first (no > need to peek): > > ssl_bump splice permited_ips > ssl_bump peek all > ssl_bump terminate deny_https_sites > ssl_bump splice all > > > If your actual "specific user" ACL needs host name information, then let > Squid peek first: > > ssl_bump peek all > ssl_bump splice specific_users > ssl_bump terminate deny_https_sites > ssl_bump splice all > > > Your questions indicate that you may not understand how Squid evaluates > ACL rules. Proceed with caution and try reading a guide book or a good > tutorial. The basic single-rule evaluation algorithm is not specific to > SslBump (although multiple ssl_bump directives add more complexity). > > > Good luck, > > Alex. > > -- Rodrigo Lima - rodrigodlima[at]gmail[dot]com
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
