Time acl not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Time acl not working

Danilo V
Hello all, time acl is not working for dynamic HTTPS pages such as social networks.

I set it to release any content during lunch time. In this period everything works, but when the interval expires, the already open network media pages continue to receive updates and are not blocked as expected. On the other hand HTTP pages and some static HTTPS do not occur this problem.

The issue was verified in both squid3 and squidguard 1.5 in explicit mode and in sites such as Facebook, Twitter and Instagram.

The problem is very simple to simulate. The only workaround found is to restart the squid.

Can someone help me?

Danilo Teixeira

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Antony Stone
On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
>
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
>
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
>
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
>
> Can someone help me?

Show us how to reproduce the problem.


Antony.

--
Users don't know what they want until they see what they get.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Danilo V
- Squid.conf:

http_port 3128
acl social dstdomain -i .facebook.com .fbcdn.net .twitter.com
acl LUNCH time 12:00-13:00
http_access allow social LUNCH
http_access deny social

1. Adjust time in acl to your local test time.
2. Open facebook and twitter tabs in browser within allowed hours.
3. Once the interval expires try to scroll pages down or click internal links.
4. It's still working here. :-(

Best,
Danilo

Em qua, 7 de fev de 2018 às 09:16, Antony Stone <[hidden email]> escreveu:
On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
>
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
>
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
>
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
>
> Can someone help me?

Show us how to reproduce the problem.


Antony.

--
Users don't know what they want until they see what they get.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Amos Jeffries
Administrator

On 08/02/18 01:37, Danilo V wrote:

> - Squid.conf:
>
> /http_port 3128
> /
> /acl social dstdomain -i .facebook.com <http://facebook.com> .fbcdn.net
> <http://fbcdn.net> .twitter.com <http://twitter.com>
> /
> /acl LUNCH time 12:00-13:00/
> /http_access allow social LUNCH/
> /http_access deny social/
>
> 1. Adjust time in acl to your local test time.
> 2. Open facebook and twitter tabs in browser within allowed hours.
> 3. Once the interval expires try to scroll pages down or click internal
> links.
> 4. It's still working here. :-(
>

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Danilo V
I'm not using SSL intercept configuration. Now i see is required, even for explicit mode.
Thank you for explanation.

Danilo




Em qua, 7 de fev de 2018 às 11:00, Amos Jeffries <[hidden email]> escreveu:

On 08/02/18 01:37, Danilo V wrote:
> - Squid.conf:
>
> /http_port 3128
> /
> /acl social dstdomain -i .facebook.com <http://facebook.com> .fbcdn.net
> <http://fbcdn.net> .twitter.com <http://twitter.com>
> /
> /acl LUNCH time 12:00-13:00/
> /http_access allow social LUNCH/
> /http_access deny social/
>
> 1. Adjust time in acl to your local test time.
> 2. Open facebook and twitter tabs in browser within allowed hours.
> 3. Once the interval expires try to scroll pages down or click internal
> links.
> 4. It's still working here. :-(
>

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Amos Jeffries
Administrator
On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Time acl not working

Danilo V
I'm thinking of adding a routine to cron to restart squid as soon as lunch break ends.
Is there any other less invasive way to reset an ssl connection and force another CONNECT to squid?

Em qua, 7 de fev de 2018 às 12:22, Amos Jeffries <[hidden email]> escreveu:
On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users