[squid-users] Help with UA filtering in https connections

squidnoob ermalwa1 at gmail.com
Thu Dec 28 22:59:20 UTC 2017


Hi there,

I'm a squid noob. I have been trying to configure squid for the past 3 days
looking high and low on the interwebs and have not found exactly what i'm
looking for. 

Here's the context:
- the squid server is running in a server environment. It will not serve
end-users, but servers.
- privacy in regards to ssl interception is not a concern in this
environment.
- running squid: 3.5.23 on Ubuntu 16.04


Here are my goals:
- whitelist approach for domains. i.e. i only want a handful of domains to
be accessible. 
- i want to allow certain UA's to bypass the whitelist rules. I know that
user agents are easy to spoof, but in this context and environment, it
doesn't matter. 


I've pieced together the following configuration and have not been able to
figure this out. Any help is greatly appreciated! 

---------------------------------------------squid.conf-------------------------------------------------
visible_hostname squid

acl CONNECT method CONNECT

access_log daemon:/var/log/squid/access.log combined

#Handling HTTP requests
http_port 3129 intercept
acl allowed_http_sites dstdomain "/etc/squid/http_allow_domains.txt"
http_access allow allowed_http_sites

#Handling HTTPS requests
https_port 3130 ssl-bump intercept cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB


acl SSL_port port 443
http_access allow SSL_port

## This route does not work with UA processing below, but properly
terminates non-whitelisted sites
# The ssl::server_name ACL will not work outside of the ssl_bump directive. 
acl allowed_https_sites ssl::server_name "/etc/squid/http_allow_domains.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
##


## This route does not work at all at preventing non-whitelisted sites
#acl allowed_https_sites ssl::server_name
"/etc/squid/http_allow_domains.txt"
#acl step1 at_step SslBump1
#acl step2 at_step SslBump2
#acl step3 at_step SslBump3
#ssl_bump peek step1 all
#ssl_bump peek step2 allowed_https_sites
#ssl_bump splice step3 allowed_https_sites
#ssl_bump bump all
##
 

## Bypass the proxy by UA
acl proxy_bypass_ua browser ^python-requests.*$
http_access allow proxy_bypass_ua



# And finally deny all other access to this proxy
http_access deny all







--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list