[squid-users] 3.5.8 intercept Whitelist http&https

Бараблин Дмитрий d.barablin at nnov.volga.rt.ru
Fri Oct 16 10:57:42 UTC 2015 

Thank you for answer!

what i have to add in config to filter (by Whitelist) http sites in 
intercept ?

On 15.10.2015 09:25, Бараблин Дмитрий wrote:
> Hello all!
>
> im trying to configure squid 3.5.8 as intercept with Whitelist ACLs on 
> HTTP and HTTPS.
>
> what my config:
>
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl whitelist dstdom_regex -i "/etc/squid/whitelist"
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> dns_nameservers 8.8.8.8
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl"
> http_port 10.0.0.185:3128 intercept
> http_port 10.0.0.185:3130
> https_port 10.0.0.185:3129 intercept ssl-bump 
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off 
> cert=/etc/squid/squidCA.pem
> always_direct allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> cl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist_ssl
> ssl_bump peek whitelist_ssl
> ssl_bump terminate all
>
>
> this config nice work with HTTPS sites, but not filtered http. When im 
> added "http_access allow localnet whitelist", which stop at all sites.
>
> whitelist&whitelist_ssl - both file have some contents aka
>
> \.google-analytics\.com
> \.googleapis\.com
> \.google\.com
> \.googleusercontent\.com
> \.gstatic\.com
>
> please tell me what I'm doing wrong!
>


-- 
С уважением,
Бараблин Дмитрий Владимирович

Ведущий инженер-программист | Отдел технического обеспечения информационных систем | Управление Информационных Технологий | Нижегородский филиал | МРФ «Волга» | ПАО «Ростелеком»

Моб.:  + 7 (951) 913-9310
Тел.:   + 7 (831) 434-4361
E-mail: d.barablin at nnov.volga.rt.ru
http://www.rt.ru

More information about the squid-users mailing list