[squid-users] 3.5.8 intercept Whitelist http&https

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 15 09:24:24 UTC 2015

On 15/10/2015 7:25 p.m., Бараблин Дмитрий wrote:
> Hello all!
> im trying to configure squid 3.5.8 as intercept with Whitelist ACLs on
> what my config:
> acl localnet src     # RFC1918 possible internal network
> acl whitelist dstdom_regex -i "/etc/squid/whitelist"
> acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl"
> http_port intercept
> http_port
> https_port intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/squidCA.pem
> always_direct allow all

You can remove the always_direct line. It was a temporary hack for bugs
in squid-3.1. It does nothing useful in your config.

> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> cl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist_ssl
> ssl_bump peek whitelist_ssl
> ssl_bump terminate all

Configuring peeking to happen *after* splicing does not make any sense.
The "peek whitelist_ssl" will never happen.

> this config nice work with HTTPS sites, but not filtered http.

"fitered http"? you don't have anything configured that could even
remotely be called that.

> When im
> added "http_access allow localnet whitelist", which stop at all sites.
> whitelist&whitelist_ssl - both file have some contents aka
> \.google-analytics\.com
> \.googleapis\.com
> \.google\.com
> \.googleusercontent\.com
> \.gstatic\.com
> please tell me what I'm doing wrong!

At a guess I believe you are expecting ssl-bump operations to happen on
the port 3128 or 3130 traffics CONNECT requests. But you have not
configured it to be done on those ports.


More information about the squid-users mailing list