Quantcast

Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
dan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

dan
Hi,

When I exclude some sites (like banks)  with ssl_bump peek/splice that works well, Got a new problem that
sites (that I exclude)  can not be blocked using Url_Rewrite.
I use Url_rewrite to block sites based on User IP and all all other sites(no in exclude list) it working very well.

How to fix it? Or this another way to block excluded sites in ssl_bump based on User IP?

Thanks Dan.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

Amos Jeffries
Administrator
On 20/02/2017 8:33 p.m., Test1964 wrote:

> Hi,
>
> When I exclude some sites (like banks)  with ssl_bump peek/splice that
> works well, Got a new problem that
> sites (that I exclude)  can not be blocked using Url_Rewrite.
> I use Url_rewrite to block sites based on User IP and all all other
> sites(no in exclude list) it working very well.
>
> How to fix it? Or this another way to block excluded sites in ssl_bump
> based on User IP?
>

Block things using an access control mechanism. That is what access
controls (ACLs, http_access, deny_info) are for.

If your blocking conditions are so complex or dynamic that Squid ACLs
are not able to cope; then use an external_acl_type helper to give the
allow/deny result and also consider if you can simplify the access policies.


Do not use a URL routing mechanism to do 'access control' operation.
Changing the destination of a message can *only* work if the relevant
security is equivalent for both paths the message can take.

re-write has the _appearance_ of working in HTTP because plain-text is
built on complete trust of the proxy. HTTPS is not, it contains
mechanisms to verify the honesty which is preventing your abuse of HTTP.


NP: If you were doing a proper HTTP *redirect* (with appropriate 30x
status codes) it would work, but still wrong to do access control that way.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

Amos Jeffries
Administrator
On 25/02/2017 8:28 p.m., Test1964 wrote:
> Hi,
>
> How  Can I use "external_acl_type helper "  to block some sites (urls)
> based on user source ip ?
> If there is way, can I block sites even I exclude them in ssl_bump(like
> banks)?
>

How is your URL-rewrite helper deciding to 'block' ?

PS. please keep the thread on-list.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
dan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

dan
Hi,
 About block urls, I run Php script that get Url and User ip and check in  "Sqlite  DB"  if to Block (our users have fixed ip addr).

Dan

On 25-Feb-17 09:35, Amos Jeffries wrote:
On 25/02/2017 8:28 p.m., Test1964 wrote:
Hi,

How  Can I use "external_acl_type helper "  to block some sites (urls) 
based on user source ip ?
If there is way, can I block sites even I exclude them in ssl_bump(like
banks)?

How is your URL-rewrite helper deciding to 'block' ?

PS. please keep the thread on-list.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
dan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid 3.5.24 - Url_rewrite with ssl_bump in Transparent Mode

dan
In reply to this post by dan
Hi,

 About block urls, I run Php script that get Url and User ip and check in  "Sqlite  DB"  if to Block (our users have fixed ip addr).

Dan.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...