[squid-users] Conditional question
James Lay
jlay at slave-tothe-box.net
Sat May 30 22:24:00 UTC 2015
On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote:
> On 31/05/2015 4:48 a.m., James Lay wrote:
> > Per the docs:
> >
> > # Conditional configuration
> > #
> > # If-statements can be used to make configuration directives
> > # depend on conditions:
> > #
> > # if <CONDITION>
> > # ... regular configuration directives ...
> > # [else
> > # ... regular configuration directives ...]
> > # endif
> > #
> > # The else part is optional. The keywords "if", "else", and
> > "endif"
> > # must be typed on their own lines, as if they were regular
> > # configuration directives.
> > #
> > # NOTE: An else-if condition is not supported.
> > #
> > # These individual conditions types are supported:
> > #
> > # true
> > # Always evaluates to true.
> > # false
> > # Always evaluates to false.
> > # <integer> = <integer>
> > # Equality comparison of two integer numbers.
> >
> > Anyone have any examples, documentation, heck ANYTHING that can show how
> > this works? I can't seem to find a thing besides the above.
>
> Those are for process controls (SMP, named services, etc).
>
> > My goal is
> > something like the below:
> >
> > if port = 80
> > http_access deny all
> > else
> > http_access allow all
> > endif
> >
> > But nothing I'm trying as the condition expression is working. Thank
> > you.
>
> The default Squid configuration should "just work"...
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_Ports
> ...
> # this one permits the CONNECT *:443 requests to get bumped
> http_access allow localnet
> ..
> http_access deny all
>
> If you are using any other access controls on your client traffic you
> need to keep in mind that Squid is dealing with "CONNECT raw-IP:443 ..."
> requests in http_access / adapted_http_access / url_rewrite_access /
> adaptation_access / ssl_bump prior to bumping them.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Hi again Amos,
So...my method of access control might be weird. I have a regex list of
sites that work fine via http (say \.acer\.com). So, I allow access to
this list via:
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt
http_access allow allowed_http_sites
http_access deny !allowed_http_sites
This works well for allowing access to the list of sites....the lack of
http_access allow localnet makes this happen. With the above however,
ssl_bumping stops working as I get:
[16:18:22 jlay at powerbook:~/test$ wget
--ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
https://www.msn.com
DEBUG output created by Wget 1.16 on linux-gnu.
URI encoding = ‘UTF-8’
--2015-05-30 16:19:46-- https://www.msn.com/
Certificates loaded: 173
Resolving www.msn.com (www.msn.com)... 204.79.197.203
Caching www.msn.com => 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443...
connected.
Created socket 4.
Releasing 0x10c3ef98 (new refcount 1).
The certificate's owner does not match hostname ‘www.msn.com’
May 30 16:19:46 analysis squid: 192.168.1.73 - - [30/May/2015:16:19:46
-0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0
TCP_DENIED:HIER_NONE peek
Adding http_access alllow localnet makes ssl_bumping work correctly, but
then the http_access deny !allowed_http_sites does not work. I'm having
a hard time getting both http and https filtering to play well together
with one instance of squid. I'd like to try and just go with one, but
if I have to I'll go with two. Anyway thanks again for looking...I hope
I'm explaining this well.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150530/50599eda/attachment.html>
More information about the squid-users
mailing list