[squid-users] Squid 3.5.10 SSL Bump whitelist domains

luizcasey at gmail.com luizcasey at gmail.com
Wed Oct 21 19:52:26 UTC 2015 

I answered your questions below. However https traffic is still always being denied even though the site is on the allowed_list via nobumpSites.
I want to control http/https traffic using the “allowed_domains” list. This current configuration works for HTTP but not HTTPS traffic.

If there is an easier way to do this I am open for suggestion. This configuration minus the peek/splice part works fine in 3.4.2. Not sure what changed in
3.5 that causes this to fail.


> Date: Thu, 22 Oct 2015 00:59:36 +0600
> From: Yuri Voinov <yvoinov at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains
> 	issue
> Message-ID: <5627E098.1000004 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> First, you should put in order configurations.
> 
> 22.10.15 0:31, luizcasey at gmail.com пишет:
>> Hello, 
>> So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https. If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed. This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations.  I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!
>> 
>> 
>> ##### Squid.conf
>> 
>> sslproxy_cert_error allow all
> This setting is DANGER. Don't use it in production. Completely.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>> 
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
>> sslcrtd_children 50
>> 
>> https_port 4827 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
> key=/etc/squid/certs/squid.key
>> # HTTPS forward port
>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
> key=/etc/squid/certs/squid.key
> HTTPS forward port: this is SSL Bumped port, or what? Where, in this
> case, ssl-bump directive? On the other hand, you don't need use cert/key
> for tunneling connections. This is enabled by default long, long time.
>> 
>> 
>> http_port 3401 transparent
> Here must be "intercept" against transparent.
>> 
>> 
>> always_direct allow all
> ^^^^^^^^^^^^^^It's too much.
>> 
>> cache deny all
> You really sure you want completely disable all caching?
>> 
>> cache_dir ufs /home/squid/cache 100 16 256
> Why, in this case, you define on-disk cache?
Removed
>> 
>> 
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
> This is completely unnecessary. You don't use it below.
Removed
>> 
>> 
>> acl http proto http
>> acl https proto https
> Why is it here?
To only allow http and https proto 
>> 
>> 
>> acl port_80 port 80
>> acl port_443 port 443
> Why is it here?
To only allow port 80 and 443 
>> 
>> 
>> http_access allow http port_80 nobumpSites
>> http_access allow https port_443 nobumpSites
> Why is it here?
To only allow access to nobumpSites on port 80 and 443 
>> 
>> 
>> http_access deny all
>> 
>> ##### allowed_domains
>> .cnn.com <http://cnn.com/>
>> .google.com <http://google.com/>
>> .facebook.com <http://facebook.com/>
>> ….etc
> ACL and, more, access rules order is important. As by as in firewalls.
> What do you mean with "allowed_domains" and why it here?
>> 
>> 
>> #### squid log
>> TAG_NONE/403 350 HEAD https://www.facebook.com/
> <https://www.facebook.com/> - HIER_NONE/- text/html
>> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/>
>> 
>> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85
> qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U
> BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg
> ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV
> MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL
> 67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M=
> =Q/qX
> -----END PGP SIGNATURE-----

More information about the squid-users mailing list