Adding exclusions for SSL Bumping
December 13, 2023
ID 193664
These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to a ready-to-use operating system. If Kaspersky Web Traffic Security was installed from an ISO file, configuration files for the built-in proxy server cannot be manually changed.
You may need to add exclusions for SSL Bumping in the following cases:
- Software uses a protocol other than HTTPS (such as SSH, RDP, or VPN).
- Software or web resource uses the WebSockets or HTTP/2.0 protocol.
- National encryption algorithms (such as GOST or SM2) are being used to access a web resource.
- Software uses server certificate pinning.
- Software or web resource requires authorization based on the client SSL certificate.
To add exclusions for SSL Bumping:
- Create a file named /etc/squid/donotbump.list containing a list of domain names of the web resources and hosts that you want to add to exclusions.
Each domain name must be listed on a new line.
To add a domain with all its subdomains to exclusions, put a dot at the beginning of the value (for example,
.domain.com
). - Add the following directives to the configuration file /etc/squid/squid.conf:
acl do_not_bump dstdomain "/etc/squid/donotbump.list"
ssl_bump splice do_not_bump
These strings must be added before the final directive ssl_bump stare all.
- Restart the Squid service. To do so, execute the command:
service squid restart
The SSL Bumping exclusions will be added.