[squid-users] reverse proxy - ssl url filtering

From: <forum_at_benbra.de>
Date: Wed, 26 Sep 2012 14:05:27 +0200

Hey alltogether

We have the following reverse proxy setup:

Client <--SSL--> Squid <--SSL--> Server

and the important acls look like:

https_port 443 accel cert=/usr/local/squid/certs/cert.pem
key=/usr/local/squid/certs/key.pem defaultsite=example.org
clientca=/usr/local/squid/certs/cacert.pem
cafile=/usr/local/squid/certs/cacert.pem capath=/usr/local/squid/certs/
sslcontext=id

cache_peer xxx.xxx.xxx.xxx parent 443 0 no-query originserver
login=PASS ssl sslflags=DONT_VERIFY_PEER
sslcert=/usr/local/squid/certs/exchange.crt
sslkey=/usr/local/squid/certs/nopassexchange.key name=exchange_peer

So as you can see the client uses ssl and a client certificate as
authentication to connect to squid. Now we wanted to do some url
filtering:

acl exchange_dirs urlpath_regex
(\/owa|\/Autodiscover|\/Microsoft-Server-ActiveSync)
acl exchange_base_url url_regex ^https://example.org
http_access allow exchange_dirs exchange_base_url
http_access deny all

However as you might already guess its not working and I am wondering
why. From my understanding, there is an SSL connection from Client to
Squid and an SSL connection from Squid to Server. Squid encrypts and
decrypts in the middle. Therefore squid schould be able to do the url
filtering.

However the observed behviour is, that URL filtering works as long as
the user has NOT authenticated itself with its client CA. However after
the user authentication, the user can browse every url within
example.org. As if there were a direkt ssl connection between Client and
Server.

Do we need to set the ssl-bump option? And if yes why? Isn't squid
already doing encryption and decryption?

Thanks in advance

B. Brandt
Received on Wed Sep 26 2012 - 12:05:32 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 26 2012 - 12:00:04 MDT