[squid-users] Squid 3.5.10 SSL Bump whitelist domains
luizcasey at gmail.com
luizcasey at gmail.com
Wed Oct 21 20:29:05 UTC 2015
Could you suggest a configuration that you think should be working ? I would like both HTTP/HTTPS domains whitelisted via file all other domains blocked. What am I missing ? My assumption here is the acl nobumpSites ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” part is not working for https but does work for http.
#### LOG
21/Oct/2015:16:24:45 -0400.062 28 X.X.X.X TCP_MISS/200 907 HEAD http://www.cnn.com/ - ORIGINAL_DST/23.235.39.73 text/html
21/Oct/2015:16:25:12 -0400.515 0 X.X.X.X TAG_NONE/403 350 HEAD https://www.facebook.com/ - HIER_NONE/- text/html
#### etc/squid/git_allowed_domains/allowed_domains"
.facebook.com
.cnn.com
#### Squid.con
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50
https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key
http_port 3401 intercept
logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid
cache deny all
acl step1 at_step SslBump1
acl nobumpSites ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains”
# I even tried the follow just for https test and it still failed
# acl nobumpSites ssl::server_name .facebook.com
# 21/Oct/2015:16:27:45 -0400.733 0 10.159.3.194 TAG_NONE/403 350 HEAD https://www.facebook.com/ - HIER_NONE/- text/html
ssl_bump peek step1 all
ssl_bump splice nobumpSites
ssl_bump bump
acl http proto http
acl https proto https
acl port_80 port 80
acl port_443 port 443
http_access allow http port_80 nobumpSites
http_access allow https port_443 nobumpSites
http_access deny all
More information about the squid-users
mailing list