[squid-users] client-->iptables-->squid-proxy->another-proxy
Diogenes S. Jesus
splash at gmail.com
Sun Aug 20 21:53:16 UTC 2017
Hi Amos. Thanks for pointing it out - but this has never been an
acl-related issue, more like a https_port / ssl-bump configuration question
when the upstream ssl request was not sending a "CONNECT www.example.org:443"
but a "GET htttps://www.example.org".
For the sake of testing one can simply get rid of the acls and set "allow
all", it wouldn't matter - this line "ssl_bump splice all" is the answer
most people were looking for I supposed.
Best regards.
On Sun, Aug 20, 2017 at 10:31 AM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:
> On 20/08/17 14:38, Diogenes S. Jesus wrote:>
>
>> * squid.conf:
>> -----------------------
>> acl localhost src 127.0.0.0/8 <http://127.0.0.0/8>
>> acl localnet src 192.168.100.0/24 <http://192.168.100.0/24>
>> 192.168.101.0/24 <http://192.168.101.0/24> 172.16.0.0/12 <
>> http://172.16.0.0/12>
>> acl SSL_ports port 443
>> acl Safe_ports port 80# http
>> acl Safe_ports port 443# https
>> acl CONNECT method CONNECT
>>
>> http_access allow localhost localnet
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny all
>>
>>
> Those http_access rules contain an impossible condition.
>
> The src-IP cannot simultaneously be having a value in the 127/8 network
> range *and* in one of the RFC1918 ranges. So there is no way anything is
> ever allowed to use this proxy.
>
> I suspect it was working due to a recently fixed bug where the CONNECT
> message was not consistently passed through http_access controls sometimes
> in the first SSL-Bump step. Do not expect that to work much longer.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
--------
Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170820/f5719920/attachment-0001.html>
More information about the squid-users
mailing list