[squid-users] ssl_crtd breaks after short time

[Amos Jeffries]

On 5/06/2015 2:50 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/04/2015 04:19 PM:
>> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> after moving it here:
>>>
>>> http_access allow okweb-urls testsrv1
>>> http_access allow CONNECT bumpedPorts
>>> http_access deny all
>>>
>>> it still allows everything..
>>
>> Sigh. Sorry I must be half aslep right now.
>>
>> Your rules say:
>>
>>    allow ...
>>    allow ...
>>    allow ...
>>
>> So why would anything be denied?
>>
> 
> last line says: deny all
> 
> and it works for http urls.. it denies the websites not listed in
> testurls for testsrv1.

Okay. Those *are* the decrypted messages.

What you just said there tels me that your ACLs are working correctly.
Picture me confused. :-O

> 
>>
>> Secondly, the log line you pointed out was for peek operation. URL (for
>> url_regex ACLs to match) is not known or available until bumping
>> (specifically the full "bump" action) has been completed.
>>
> but the "allow CONNECT" line, seems to make it skip the
> http_access deny all
> 
> at the bottom.. (and not parse the allows in between which should be the
> ones allowing certain websites on https as well..
> 
> do I need to change:
> ssl_bump bump all
> 
> to list every https site
> acl ok-httpsurls url_regex ^https://www.google.dk/$
> ssl_bump bump ok-httpsurls
> ssl_bump reject !ok-httpsurls

Er, yes. The scheme is assumed to be https:// due to TLS existence, the
domain is given in SNI. But the URL path is still private/encrypted.

So the URL will never match any pattern with path component, and is
unlikely to even attempt matching in current Squid.

> 
> (so I an only use http_access for http intercept and must use ssl_bump
> for https urls) ?
> 

https:// URL requests will be passed by http_access like any other
traffic, but with the caveat that it happens only after the connection
has already been/being decrypted. AKA *after* "ssl_bump bump ..." has
been matched.

Amos