SSL Bump Client exception

Started by SteNub, March 23, 2021, 12:00:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 23, 2021, 12:00:13 PM
Hello everybody,

i have managed to get some clients ssl bumped and some others not.
Unfortunately i only got it to work via modifying the squid.conf at the ssl_bump part:

Code Select


# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl bump_nobumpclients src "/usr/local/etc/squid/nobumpclients.acl"

# configure bump
ssl_bump splice bump_nobumpclients
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3



Now i can enter single IPs or IP ranges in the nobumpclients.acl file and everything works as expected! :-)

My question is: Can this be achived in the custom conf folders, too? (pre-auth, auth, post-auth)? I tried but it seems my entries are ignored? Maybe this small addon is worth a commit to the official repo?
Via GUI it would be possible to create the nobumpclients entries in the correspondig file, analogous to the nobumpsites.

Any hints?

Thank You!
Stefan
July 04, 2021, 11:08:07 AM #1
Hello Stefan,

I am woking on the same problem ... I would like to do SNI-inspection (with category filtering) for all clients ... but true SSL-inspection only for specific subnets. Did you get that working (by use of include-folders)?

Best regards,
mscd
August 30, 2021, 04:10:18 PM #2
I'll add it to the GUI :)
August 30, 2021, 04:15:49 PM #3
Print
Go Up Pages1
User actions