Squid + clamav MITM custom setting

amisbievre

Hi everyone,

I would like to use Squid in transparent mode only to block blacklist and viruses.
For SSL/MITM Mode I have to chose between Splice All, Splice Whitelist Bump otherwise and custom. The first one doesn't allow me to use antivirus. The other one need a whitelist (witch is not what I want). So for my purpose, I need to chose other but the official squid MITM doc is not very clear on how to do this.
Does anyone knows how to do this? (Bump only blacklist and viruses)

best regards

amisbievre

EDIT1: I can actually do something like ^.* in whitelist to allow all. Now it's allow any website of course but also blacklisted one. Is there a regex to do sth like ^.* AND not in blacklist?
It seems to be a question of ACL priority. Whitelist first and then blacklist. I would like to do the opposite block what is in blocklist and allow the rest.

JonathanLee

@amisbievre create a file called no block and set that file to splice all.

(Custom settings)

In this image above I have the xbox set up to splice all and the amazon tablet, and my wifes iphone and my android.

They have issues with when you use certificates some items do not work in the applications, the web browsers do however the applications do not.

This still works for url filtering because the get requests are still processed. You just cant cache the items.

(LIST)
I created a file named nobump.
Inside this file I added some specific sites that work better if they are only spliced and not bumped. Office, Zoom, some basic items. Make it to what you need.
The rest get bumped.

JonathanLee

@jonathanlee With this change you can use URL filtering for everything, you can use caching with everything else, you can use dynamic caching, your gaming systems. Plus you can use transparent mode and SSL MITM mode at the same time. Best of both worlds and you get that URL filter on all the systems. MITM has some issues for specific sites that make it a challenge to use fully 100% so you have to adapt the system for those sites. Set to to splice example banking sites, you should never use MITM on banking websites, so they are in the do not bump file, office mail is, and a specific Facebook messenger url. This way the security of messengers and email is never intercepted or cached. Just the headers are inspected for if it finds a URL you want blocked. It is common sense, the privacy of specific items that should not have MITM running, and the accelerator can run for the sites that do not need that high privacy. For the antivirus clam system to run fully it needs to use MITM automatically. However there is some sites that you need MITM turned off for.

JonathanLee

@jonathanlee Palo Alto does the same thing with certificates and intercepts on their firewalls. Just set it up ethically and it will work.

(HTTPS cloud based virus stopped with use of MITM)