W dniu 2011-09-06 08:08, Amos Jeffries pisze:
> On 05/09/11 22:03, Łukasz Makowski wrote:
>> Hello everyone,
>>
>> I'm using Squid and ldap_authentication, and recently decided do deploy
>> ssl_bump feature.
>>
>> I have made tests for ssl_bump and everything works just fine, but when
>> combined with ldap authentication,
>> it appeared to have one big disadvantage.
>>
>> For every site user try to visit, squid pops with its authentication
>> window.
>> I see that for regular, http traffic message looks like this : "Server
>> My_Squid_Server needs authentication blablabla".
>> But when ssl_bump triggers during visiting https web page, it states :
>> "Server Https_Site_Domain needs authentication blablabla".
>>
>> I know that this behaviour can be caused by a way that ssl_bump works.
>> Please tell me is there any possible method to overcome this ?
>>
>> Thanks for help.
>>
>> Lukasz
>
> I suspect you have the recommended "deny !authedUsers" or similar.
>
> Bumped traffic should match "acl HTTPS proto HTTPS". So you should be
> able to bypass the auth using that ACL.
>
> Amos
Thanks for your reply.
My auth acl looks like this:
acl password proxy_auth REQUIRED
and rules for traffic:
http_access allow password
ssl_bump allow all
I also tried following, when experimenting with ssl_bump :
acl https_traffic method CONNECT
ssl_bump allow https_traffic
but it works the same for me.
My point when trying to implement ssl_bump was to log https urls and
users accesing them, as I am doing it for http.
I'm concerned about part of your statement "So you should be able to
bypass the auth using that ACL".
Did I understand you correctlly ? Is there no possibility to force squid
to auth my users when accesing https?
Lukasz
-- Łukasz Makowski ITSOFT, ul.Wadowicka 8a, 30-415 Kraków, Poland tel.:+48 12 2637545, fax: +48 12 2637520 lukasz.makowski_at_itsoft.pl www.itsoft.plReceived on Tue Sep 06 2011 - 13:15:07 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 07 2011 - 12:00:04 MDT