Squid 3.5.24 - Exclude https sites from ssl_bump in Transparent Mode

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
dan
Reply | Threaded
Open this post in threaded view
|

Squid 3.5.24 - Exclude https sites from ssl_bump in Transparent Mode

dan
Hi,

When I try to exclude some sites like Banks (or even gmail.com) for users using squid in TRANSPARENT Mode,
I get in Squid log : "SECURITY ALERT: On URL......." (all servers and users using same dns, so this not an issue).
My config file regard to this:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump splice localhost


acl exclude_sites ssl::server_name "/etc/squid/exfiles.conf"

ssl_bump peek step1 all

ssl_bump splice exclude_sites
ssl_bump stare step2 all

ssl_bump all

* all users use fake ips (172.x.x.x)

Any ideas how to fix ?

Thanks Dan

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5.24 - Exclude https sites from ssl_bump in Transparent Mode

Eliezer Croitoru
What is the content of: /etc/squid/exfiles.conf

And did you tried using:
ssl::server_name_regex -i "/etc/squid/doms.nobump"

/etc/squid/doms.nobump:
##START OF FILE
update\.microsoft\.com$
update\.microsoft\.com\.akadns\.net$
v10\.vortex\-win\.data\.microsoft.com$
settings\-win\.data\.microsoft\.com$
##END OF FILE
etc…

Eliezer
----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Test1964
Sent: Sunday, February 19, 2017 12:22 PM
To: [hidden email]
Subject: [squid-users] Squid 3.5.24 - Exclude https sites from ssl_bump in Transparent Mode

Hi,

When I try to exclude some sites like Banks (or even gmail.com) for users using squid in TRANSPARENT Mode,
I get in Squid log : "SECURITY ALERT: On URL......." (all servers and users using same dns, so this not an issue).
My config file regard to this:

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump splice localhost


acl exclude_sites ssl::server_name "/etc/squid/exfiles.conf"

ssl_bump peek step1 all

ssl_bump splice exclude_sites
ssl_bump stare step2 all

ssl_bump all

* all users use fake ips (172.x.x.x)

Any ideas how to fix ?

Thanks Dan

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users