On 2/03/19 8:54 am, Joseph Jones wrote: > I've been trying to get SslBump work for whitelist purposes and so far > have been failing. > > It's my understanding in order for SslBump to do whitelist it will > need to do a splice at step2 or step3.
Not quite. For intercepted traffic you do need a peek at step1 to get the TLS SNI details. Before that Squid only has raw-IP. But your problem is earlier than even step1. Before bumping starts Squid synthesizes a CONNECT message to check if the client is allowed to even make requests of the proxy. This uses the TCP SYN packet src-IP as message URI. Your http_access permissions being *only* these: http_access allow localnet http_whitelist http_access deny all ... the raw-IP URI will not match true for the whitelist check. Leaving the deny to reject the client. Then we get to the SSL-Bump. Since the decision has already been made to reject this client all Squid does is the peek and client-first bump actions. These happen in order to deliver that denial page in a form that Browsers will most likely display (no guarantee though). What you need to avoid this too-early denial is allow CONNECT which happen on the interception port. Add these lines above yoru deny all: acl port3129 myportname 3129 http_access allow CONNECT port3129 PS. I also advise to leave the Safe_ports and SSL_Ports checks from the default config as they were. They have no effect on any of the SSL-Bump activity and protect your proxy against several types of DoS and other nasty attacks. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
