[squid-users] ssl_crtd breaks after short time
Klavs Klavsen
kl at vsen.dk
Thu Jun 4 14:50:00 UTC 2015
Amos Jeffries wrote on 06/04/2015 04:19 PM:
> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>> after moving it here:
>>
>> http_access allow okweb-urls testsrv1
>> http_access allow CONNECT bumpedPorts
>> http_access deny all
>>
>> it still allows everything..
>
> Sigh. Sorry I must be half aslep right now.
>
> Your rules say:
>
> allow ...
> allow ...
> allow ...
>
> So why would anything be denied?
>
last line says: deny all
and it works for http urls.. it denies the websites not listed in
testurls for testsrv1.
>
> Secondly, the log line you pointed out was for peek operation. URL (for
> url_regex ACLs to match) is not known or available until bumping
> (specifically the full "bump" action) has been completed.
>
but the "allow CONNECT" line, seems to make it skip the
http_access deny all
at the bottom.. (and not parse the allows in between which should be the
ones allowing certain websites on https as well..
do I need to change:
ssl_bump bump all
to list every https site
acl ok-httpsurls url_regex ^https://www.google.dk/$
ssl_bump bump ok-httpsurls
ssl_bump reject !ok-httpsurls
(so I an only use http_access for http intercept and must use ssl_bump
for https urls) ?
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list