[squid-users] Squid 3.5.10 SSL Bump whitelist domains
Yuri Voinov
yvoinov at gmail.com
Wed Oct 21 20:00:51 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Show as access.log/cache.log for denied HTTPS sites.
All others confir quirks will remain onto your responsibility - Amos
come and explain when I/you wrong. ;)
22.10.15 1:52, luizcasey at gmail.com пишет:
> I answered your questions below. However https traffic is still always being denied even though
the site is on the allowed_list via nobumpSites.
> I want to control http/https traffic using the “allowed_domains” list.
This current configuration works for HTTP but not HTTPS traffic.
>
> If there is an easier way to do this I am open for suggestion. This
configuration minus the peek/splice part works fine in 3.4.2. Not sure
what changed in
> 3.5 that causes this to fail.
>
>
>> Date: Thu, 22 Oct 2015 00:59:36 +0600
>> From: Yuri Voinov <yvoinov at gmail.com>
>> To: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains
>> issue
>> Message-ID: <5627E098.1000004 at gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
> First, you should put in order configurations.
>
> 22.10.15 0:31, luizcasey at gmail.com пишет:
> >>> Hello,
> >>> So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https. If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed. This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations. I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!
> >>>
> >>>
> >>> ##### Squid.conf
> >>>
> >>> sslproxy_cert_error allow all
> This setting is DANGER. Don't use it in production. Completely.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >>>
> >>> sslproxy_flags DONT_VERIFY_PEER
> >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> >>> sslcrtd_children 50
> >>>
> >>> https_port 4827 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
> key=/etc/squid/certs/squid.key
> >>> # HTTPS forward port
> >>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
> key=/etc/squid/certs/squid.key
> HTTPS forward port: this is SSL Bumped port, or what? Where, in this
> case, ssl-bump directive? On the other hand, you don't need use cert/key
> for tunneling connections. This is enabled by default long, long time.
> >>>
> >>>
> >>> http_port 3401 transparent
> Here must be "intercept" against transparent.
> >>>
> >>>
> >>> always_direct allow all
> ^^^^^^^^^^^^^^It's too much.
> >>>
> >>> cache deny all
> You really sure you want completely disable all caching?
> >>>
> >>> cache_dir ufs /home/squid/cache 100 16 256
> Why, in this case, you define on-disk cache?
> > Removed
> >>>
> >>>
> >>> acl step2 at_step SslBump2
> >>> acl step3 at_step SslBump3
> This is completely unnecessary. You don't use it below.
> > Removed
> >>>
> >>>
> >>> acl http proto http
> >>> acl https proto https
> Why is it here?
> > To only allow http and https proto
> >>>
> >>>
> >>> acl port_80 port 80
> >>> acl port_443 port 443
> Why is it here?
> > To only allow port 80 and 443
> >>>
> >>>
> >>> http_access allow http port_80 nobumpSites
> >>> http_access allow https port_443 nobumpSites
> Why is it here?
> > To only allow access to nobumpSites on port 80 and 443
> >>>
> >>>
> >>> http_access deny all
> >>>
> >>> ##### allowed_domains
> >>> .cnn.com <http://cnn.com/>
> >>> .google.com <http://google.com/>
> >>> .facebook.com <http://facebook.com/>
> >>> ….etc
> ACL and, more, access rules order is important. As by as in firewalls.
> What do you mean with "allowed_domains" and why it here?
> >>>
> >>>
> >>> #### squid log
> >>> TAG_NONE/403 350 HEAD https://www.facebook.com/
> <https://www.facebook.com/> - HIER_NONE/- text/html
> >>> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/>
> >>>
> >>>
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWJ+7zAAoJENNXIZxhPexGjrkH/ihm3ZhfpjGXb23Dte0ssSr6
CTJGmZtpT9oX8avFxHJhOPO0R8w+aleMChKIKTDwSTBk1+Mq24J9NC9D+Nut48/p
gJqr+uyY5TseVghneDAxWtMsuxXFGeErbDaOwsBsxxyJDDsSJ51QTbDJ2tocHM6I
yYdK/vblNuhYzDrmbXvh7fHa0+73LooioE8qdsTVKgXeqqvpzUcRF1Ckpm9RuRZB
a3j2PxdEcV7wxwuwcFOJH7jX0cUQiuA3NzVCw573ebyZ9IZ5KJgXku5aco5LNUgx
g9zQLlEmNXzkOQbxsz8+ZeHk8z/D08x4Ccu2Kg3mhJ+jyjGGn6Y9D11JKaHrHE4=
=Zam6
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151022/8b0606e2/attachment.html>
More information about the squid-users
mailing list