Enhancement #3432

web filter: ssl bypassed sites can't be blocked

Added by Filippo Carletti almost 3 years ago. Updated almost 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.8
Resolution: NEEDINFO:No

Description

Symptoms and steps to reproduce:
I'd like to block access to windowsupdate.microsoft.com, I add it to the filter blacklist, but I can still open the website.
Some other sites can't be blocked, those contained in /etc/squid/acls/ssl_bypass.acl.

Associated revisions

Revision ef85be5e
Added by Giacomo Sanchietti almost 3 years ago

Remove ssl_bypass ACL. Refs #3432

Revision f9cf6e6e
Added by Giacomo Sanchietti almost 3 years ago

Remove ssl_bypass ACL. Refs #3432

History

#1 Updated by Filippo Carletti almost 3 years ago

  • Status changed from NEW to TRIAGED
  • Assignee set to Filippo Carletti
  • % Done changed from 0 to 20

I don't get why sites that don't get intercepted by the ssl proxy can't be blocked. It may be an overlooked feature.
I removed the configuration from squid.conf and I blocked the site.
My fix:

rm -f /etc/e-smith/templates/etc/squid/squid.conf/30http_access_40_ssl

#2 Updated by Filippo Carletti almost 3 years ago

Side note: the ssl bump bypass list is useless in a transparent ssl proxy scenario: squid receives the destination ip address not the domain name.
To avoid intercepting some https sites, the only option is using the Sites without proxy list.

#3 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee changed from Filippo Carletti to Giacomo Sanchietti
  • % Done changed from 20 to 30

Remove the ssl bypass implementation since it's useless.

#4 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-squid-1.3.11-1.3.gef85be5.ns6.src.rpm

Test case
- Verify that ssl_bypass acl has been removed

#6 Updated by Davide Principi almost 3 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi almost 3 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

grep -F ssl_bypass /etc/squid/squid.conf

Does not match, as expected.

#8 Updated by Giacomo Sanchietti almost 3 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released:
- nethserver-squid-1.3.12-1.ns6.noarch.rpm

Also available in: Atom PDF