Thanks. I will give it a try. ___________________________________ Jonathan
---------------------------------------- > Date: Thu, 23 Apr 2015 19:39:05 -0300 > From: marcus.k...@urlfilterdb.com > To: jonathan_chret...@hotmail.com; squid-users@lists.squid-cache.org > Subject: Re: [squid-users] HTTPS Filtering and SSL-Bump > > > > On 04/23/2015 05:52 PM, Jonathan Chretien wrote: >> Hi all. >> >> I'm trying to implement the filtering of https content for a particular url. >> The only thing that I'm trying to do it's to unlock corporate video on the >> Youtube website. I do not want to unlock everything on Youtube but only our >> corporate stuff. >> >> The url looks like this: https://www.youtube.com/users/MyCompany. >> >> I'm using UFDBGuard as a url filter. >> >> The problem is that SSL-Bump is working well but the URL pass from Squid to >> UFDBGuard is the non SSL-Bump url. What I means is that the URL that >> UFDBGuard is receiving is https://www.youtube.com:443 instead of the >> https://www.youtube.com/users/MyCompany. >> >> So because UFDBGuard is not receiving the complete SSL-Bump URL, UFDBGuard >> see that it's Youtube.com, so it block the website. If UFDBGuard was >> receiving the real SSL-Bump url https://www.youtube.com/users/MyCompany, >> UFDBGuard will see that this url is whitelisted and should allow the access. > > > This is not the full story. > With SSLbump on Squid sends to ufdbGuard first > CONNECT www.youtube.com:443 > and then > GET https://www.youtube.com/users/MyCompany > > ufdbGuard has not yet support for this but you could whitelist > www.youtube.com:443 > using a regular expression > and whitelist https://www.youtube.com/users/MyCompany and a bunch of other > URLs that used for the markup of the entire page > and blacklist a bunch of other youtube URLs to get the desired behavior. > > Whitelisting a subset of a website is usually not so straightforward so one > needs to pay much attention to the "bunch of URLs" used in the whitelist and > blacklist. > I suggest to not blacklist www.youtube.com but start with blacklisting a few > important URLs of youtube such that the effective result is that non-company > access to Youtube is blocked. > > Marcus > maintainer of ufdbGuard. > > PS: after you have done all this, you also need to block all web proxies > which can be used to circumvent the intended Youtube block. > > >> Log in the UFDBGuard.log >> 2015-04-23 16:19:59 [10669] BLOCK MyUser 192.168.100.27 Internet movies >> www.youtube.com:443 CONNECT >> >> Is there something missing in my Squid.conf to pass the correct URL? >> >> http_port 192.168.100.2:3129 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB key=/etc/squid/ssl/mycert.com.private >> cert=/etc/squid/ssl/mycert.com.cert >> >> # SSL Bump Config >> sslproxy_cert_error deny all >> sslproxy_flags DONT_VERIFY_PEER >> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >> sslcrtd_children 8 startup=1 idle=1 >> >> acl sslBumpYoutube dstdomain www.youtube.com >> >> # SSL Bump Config >> always_direct allow sslBumpYoutube >> ssl_bump server-first sslBumpYoutube >> ssl_bump none all >> >> Also all my users using the proxy are authenticated. >> >> >> Thanks >> ___________________________________ >> Jonathan >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
