[squid-users] Squid 3.5.10 SSL Bump whitelist domains issue
Yuri Voinov
yvoinov at gmail.com
Wed Oct 21 18:59:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
First, you should put in order configurations.
22.10.15 0:31, luizcasey at gmail.com пишет:
> Hello,
> So what I am trying to accomplish here is to basically have a
whitelist of domains that is allowed via http/https. If the UID is
squid,apache, or root then basically you will bypass squid and anything
is allowed. This was working well on 3.4.2 however once I moved to
3.5.10 it no longer works properly. I also noticed that there are “new”
features peek,slice etc which is probably my issue since I was not using
it. I have tried several combination and have only gotten it to work for
http traffic. All https traffic is currently being blocked by the
configuration. Below are my configurations. I don’t need to "inspect"
any of the traffic just want to have a whitelist of allowed domains if
you are not UID squid,apache, or root via http/https. Any help would be
appreciated !!
>
>
> ##### Squid.conf
>
> sslproxy_cert_error allow all
This setting is DANGER. Don't use it in production. Completely.
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> sslcrtd_children 50
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
key=/etc/squid/certs/squid.key
> # HTTPS forward port
> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
HTTPS forward port: this is SSL Bumped port, or what? Where, in this
case, ssl-bump directive? On the other hand, you don't need use cert/key
for tunneling connections. This is enabled by default long, long time.
>
>
> http_port 3401 transparent
Here must be "intercept" against transparent.
>
>
> always_direct allow all
^^^^^^^^^^^^^^It's too much.
>
> cache deny all
You really sure you want completely disable all caching?
>
> cache_dir ufs /home/squid/cache 100 16 256
Why, in this case, you define on-disk cache?
>
>
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
This is completely unnecessary. You don't use it below.
>
>
> acl http proto http
> acl https proto https
Why is it here?
>
>
> acl port_80 port 80
> acl port_443 port 443
Why is it here?
>
>
> http_access allow http port_80 nobumpSites
> http_access allow https port_443 nobumpSites
Why is it here?
>
>
> http_access deny all
>
> ##### allowed_domains
> .cnn.com <http://cnn.com/>
> .google.com <http://google.com/>
> .facebook.com <http://facebook.com/>
> ….etc
ACL and, more, access rules order is important. As by as in firewalls.
What do you mean with "allowed_domains" and why it here?
>
>
> #### squid log
> TAG_NONE/403 350 HEAD https://www.facebook.com/
<https://www.facebook.com/> - HIER_NONE/- text/html
> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85
qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U
BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg
ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV
MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL
67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M=
=Q/qX
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151022/da90c723/attachment.html>
More information about the squid-users
mailing list