Adding exclusions for SSL Bumping

These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to a ready-to-use operating system. If Kaspersky Web Traffic Security was installed from an ISO file, configuration files for the built-in proxy server cannot be manually changed.

You may need to add exclusions for SSL Bumping in the following cases:

• Software uses a protocol other than HTTPS (such as SSH, RDP, or VPN).
• Software or web resource uses the WebSockets or HTTP/2.0 protocol.
• National encryption algorithms (such as GOST or SM2) are being used to access a web resource.
• Software uses server certificate pinning.
• Software or web resource requires authorization based on the client SSL certificate.

To add exclusions for SSL Bumping:

1. Create a file named /etc/squid/donotbump.list containing a list of domain names of the web resources and hosts that you want to add to exclusions.

   Each domain name must be listed on a new line.

   To add a domain with all its subdomains to exclusions, put a dot at the beginning of the value (for example, .domain.com).

2. Add the following directives to the configuration file /etc/squid/squid.conf:

   acl do_not_bump dstdomain "/etc/squid/donotbump.list"

   ssl_bump splice do_not_bump

   These strings must be added before the final directive ssl_bump stare all.

3. Restart the Squid service. To do so, execute the command:

   service squid restart

The SSL Bumping exclusions will be added.

Page top