[squid-users] 3.5.8 intercept Whitelist http&https
squid3 at treenet.co.nz
Thu Oct 15 09:24:24 UTC 2015
On 15/10/2015 7:25 p.m., Бараблин Дмитрий wrote:
> Hello all!
> im trying to configure squid 3.5.8 as intercept with Whitelist ACLs on
> HTTP and HTTPS.
> what my config:
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl whitelist dstdom_regex -i "/etc/squid/whitelist"
> acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl"
> http_port 10.0.0.185:3128 intercept
> http_port 10.0.0.185:3130
> https_port 10.0.0.185:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> always_direct allow all
You can remove the always_direct line. It was a temporary hack for bugs
in squid-3.1. It does nothing useful in your config.
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> cl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist_ssl
> ssl_bump peek whitelist_ssl
> ssl_bump terminate all
Configuring peeking to happen *after* splicing does not make any sense.
The "peek whitelist_ssl" will never happen.
> this config nice work with HTTPS sites, but not filtered http.
"fitered http"? you don't have anything configured that could even
remotely be called that.
> When im
> added "http_access allow localnet whitelist", which stop at all sites.
> whitelist&whitelist_ssl - both file have some contents aka
> please tell me what I'm doing wrong!
At a guess I believe you are expecting ssl-bump operations to happen on
the port 3128 or 3130 traffics CONNECT requests. But you have not
configured it to be done on those ports.
More information about the squid-users