[squid-users] acl for redirect

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 26 05:29:56 UTC 2015


On 26/06/2015 2:36 a.m., Mike wrote:
> Amos, thanks for info.
> 
> The primary settings being used in squid.conf:
> 
> http_port 8080
> # this port is what will be used for SSL Proxy on client browser
> http_port 8081 intercept
> 
> https_port 8082 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
> 
> 
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
> sslcrtd_children 50 startup=5 idle=1
> ssl_bump server-first all
> ssl_bump none localhost
> 
> 
> Then e2guardian uses 10101 for the browsers, and uses 8080 for
> connecting to squid on the same server.

Doesn;t matter. Due to TLS security requirements Squid ensures the TLS
connection in re-encrypted on outgoing.


I am doubtful eth nord works anymore since Googles own documentation for
schools states that one must install a MITM proxy that does the traffic
filtering - e2guardian is not one of those. IMO you should convert your
e2guardian config into Squid ACL rules that can be applied to the bumped
traffic without forcing http://

But if nord does work, so should the deny_info in Squid. Something like
this probably:

 acl google dstdomain .google.com
 deny_info 301:http://%H%R?nord=1 google

 acl GwithQuery urlpath_regex ?
 deny_info 301:http://%H%R&nord=1 GwithQuery

 http_access deny google Gquery
 http_access deny google


Amos


More information about the squid-users mailing list