[squid-users] Filtering HTTPS URLs

Panda Admin pandanonomous at gmail.com
Thu Feb 11 13:46:16 UTC 2016 

Try adding
acl step1 at_step SslBump1
ssl_bump peek step1 bump_sites

This worked for me.  Just a suggestion:)


On Thu, Feb 11, 2016 at 3:59 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 11/02/2016 1:05 p.m., Victor Hugo wrote:
> > Hi,
> >
> > I was wondering if it is possible to filter HTTPS URLs using squid (for
> > example to blacklist reddit.com but allow https://www.reddit.com/r/news/
> )?
> >
> > I thought this may be possible using ssl_bump and url_regex. I have been
> > trying this using squid 3.5.13 but with no success.
> >
> > Here is the squid configuration that I have tried but doesn't seem to
> work
> > (it works for http sites though):
> >
>
> <snip>
> >
> > acl whitelist-regex url_regex -i reddit.com/r/news
> > http_port 3129 ssl-bump
> cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
> > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > acl bump_sites ssl::server_name .reddit.com
> > ssl_bump bump bump_sites
> > ssl_bump splice !bump_sites
> > http_access allow whitelist-regex
> > http_access allow localhost
> > http_access deny all
>
> > Relevant access.log output (IP addresses redacted to x.x.x.x):
> > 1455145755.589      0 x.x.x.x TCP_DENIED/200 0 CONNECT
> www.reddit.com:443 -
> > HIER_NONE/- -
>
> So this is the bump happening, as you wanted.
>
> > 1455145755.669      0 x.x.x.x TAG_NONE/403 4011 GET
> > https://www.reddit.com/r/news - HIER_NONE/- text/html
>
> And something else has 403 (Forbidden) the request. Your ACL and
> http_access config looks fine. So I dont think its that.
>
>
> The first oddity is that your ssl_bump rules are doing bump without
> having fetched the clientHello details yet. So this is a "client-first"
> bumping situation in which Squid first negotiates TLS / HTTPS with the
> client, then completely separately negotiates TLS/HTTPS with the server.
>  - any errors in the server TLS might result in something like this 403
> (though it should be a 5xx status, it may not always be).
>  - the sslproxy_* settings are entirely what controls the server
> connection TLS.
>
>
> Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT
> actions. This could be a logging bug, or a sign of something going wrong
> in the bumping stage that alters the CONNECT logging as well.
>
>
> Are you able to experiment with using the Squid-4.0.5 release? there are
> some bumping bug fixes that are only in that release series.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160211/1ce5ffaa/attachment.html>

More information about the squid-users mailing list