On Tue, 16 Feb 2010 07:42:09 -0800 (PST), Carlos Lopez
<the_spide21_at_yahoo.com> wrote:
> Hi all,
>
> I'am new to squid and I was wondering if it is possible to tunnel https
> request from authenticated users and then via script block/allow access
to
> https address, but depending of what's the result of the script, let's
say:
>
> user1 and user2
>
> user1, have access to check yahoo mail only and do internet bank
> accounting for only one specific site, so he/she may need https port to
be
> open (https and http are blocked on the firewall), but at the same time
do
> some filtering, to restrict him/her to navigate for example Adult sites.
>
> user2, got access only to navigate through port http and also do some
> filters via script (for example, block access to webchat links)
>
Yes. HTTPS traffic has access to the destination domain name and port by
themselves.
If some combo of the existing ACL types does not match what you want
cleanly, look at external_acl_type to call some more complicated helper
script.
http://www.squid-cache.org/Doc/config/external_acl_type/
It's controlled using http_access same as any other request. Just include
"CONNECT" at the start of all the HTTPS-specific rules. Like so:
http_access <allow or deny> CONNECT ...
For example, the default security rule:
http_access deny CONNECT !SSL_ports
... blocks all non-SSL ports from being accessed via the tunnel.
(I'd advise placing your HTTPS rules below that one.)
Amos
Received on Tue Feb 16 2010 - 22:16:52 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 17 2010 - 12:00:05 MST