[squid-users] Conditional question

James Lay jlay at slave-tothe-box.net
Sat May 30 22:39:47 UTC 2015


On Sat, 2015-05-30 at 16:24 -0600, James Lay wrote:

> On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: 
> 
> > On 31/05/2015 4:48 a.m., James Lay wrote:
> > > Per the docs:
> > > 
> > > #  Conditional configuration
> > > #
> > > #       If-statements can be used to make configuration directives
> > > #       depend on conditions:
> > > #
> > > #           if <CONDITION>
> > > #               ... regular configuration directives ...
> > > #           [else
> > > #               ... regular configuration directives ...]
> > > #           endif
> > > #
> > > #       The else part is optional. The keywords "if", "else", and
> > > "endif"
> > > #       must be typed on their own lines, as if they were regular
> > > #       configuration directives.
> > > #
> > > #       NOTE: An else-if condition is not supported.
> > > #
> > > #       These individual conditions types are supported:
> > > #
> > > #           true
> > > #               Always evaluates to true.
> > > #           false
> > > #               Always evaluates to false.
> > > #           <integer> = <integer>
> > > #               Equality comparison of two integer numbers.
> > > 
> > > Anyone have any examples, documentation, heck ANYTHING that can show how
> > > this works?  I can't seem to find a thing besides the above.
> > 
> > Those are for process controls (SMP, named services, etc).
> > 
> > >  My goal is
> > > something like the below:
> > > 
> > > if port = 80
> > >     http_access deny all
> > > else
> > >     http_access allow all
> > > endif
> > > 
> > > But nothing I'm trying as the condition expression is working.  Thank
> > > you.
> > 
> > The default Squid configuration should "just work"...
> > 
> >   http_access deny !Safe_ports
> >   http_access deny CONNECT !SSL_Ports
> >   ...
> >   # this one permits the CONNECT *:443 requests to get bumped
> >   http_access allow localnet
> >   ..
> >   http_access deny all
> > 
> > If you are using any other access controls on your client traffic you
> > need to keep in mind that Squid is dealing with "CONNECT raw-IP:443 ..."
> > requests in http_access / adapted_http_access / url_rewrite_access /
> > adaptation_access / ssl_bump prior to bumping them.
> > 
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> Hi again Amos,
> 
> So...my method of access control might be weird.  I have a regex list
> of sites that work fine via http (say \.acer\.com).  So, I allow
> access to this list via:
> 
> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt
> http_access allow allowed_http_sites
> http_access deny !allowed_http_sites
> 
> This works well for allowing access to the list of sites....the lack
> of http_access allow localnet makes this happen.  With the above
> however, ssl_bumping stops working as I get:
> 
> [16:18:22 jlay at powerbook:~/test$ wget
> --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
> https://www.msn.com
> DEBUG output created by Wget 1.16 on linux-gnu.
> 
> URI encoding = ‘UTF-8’
> --2015-05-30 16:19:46--  https://www.msn.com/
> Certificates loaded: 173
> Resolving www.msn.com (www.msn.com)... 204.79.197.203
> Caching www.msn.com => 204.79.197.203
> Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443...
> connected.
> Created socket 4.
> Releasing 0x10c3ef98 (new refcount 1).
> The certificate's owner does not match hostname ‘www.msn.com’
> 
> May 30 16:19:46 analysis squid: 192.168.1.73 - - [30/May/2015:16:19:46
> -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0
> TCP_DENIED:HIER_NONE peek
> 
> Adding http_access alllow localnet makes ssl_bumping work correctly,
> but then the http_access deny !allowed_http_sites does not work.  I'm
> having a hard time getting both http and https filtering to play well
> together with one instance of squid.  I'd like to try and just go with
> one, but if I have to I'll go with two.  Anyway thanks again for
> looking...I hope I'm explaining this well.
> 
> James
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Ok I think I got it...added:

acl allow_https port 443
...
http_access allow allow_https

Now my clients are allowed full port 443 access, which gets a decision
of allow or block later on, and this also allows my "usual" http access
list....woo hoo!  I'll post the full info later.  Thanks so much.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150530/fe5b8522/attachment-0001.html>


More information about the squid-users mailing list