[squid-users] Help with UA filtering in https connections

[squidnoob]

Ahh that's it! Thank you for your help!

For anyone interested, i'm posting the working config i'm using. Hopefully
this helps someone.


#
# Working on squid version: 3.5.23
#
# The general purpose of this configuration is:
# - only allow a set of whitelisted domains through the proxy
# - option to allow specific browser user agents to bypass the domains
whitelist
# - option to allow specific hosts to bypass the domains whitelist
# - option to allow speicfic host + user agent to bypass the domains
whitelist
#
# Useful in a restricted environment, like a server environment with
restricted egress requirements.
# 
# Requirements for this to work properly
# 
# On proxy host: 
#   iptables rules to support redirection to appropriate ports
#     iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
3129
#     iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port
3130
#
#   Self-signed cert route:
#     openssl req -newkey rsa:4096 -x509 -keyout
/etc/squid/ssl_cert/mySquidCA.pem -out /etc/squid/mySquidCA.pem -days 1825
-nodes
# 
# On clients
#   For self-signed cert route:
#     Add public key of mySquidCA cert to appropriate stores
#     e.g. Ubuntu 16.04, add public key of the .pem file to:
/usr/local/share/ca-certificates/mySquidCA.crt and then run sudo
update-ca-certs
#
#     If running python, may need to update appropriate package cert stores:
#     e.g. /usr/local/lib/python2.7/dist-packages/requests/cacert.pem
#
# Refs
#   - install 3.5.23:
https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html
#   - example:
https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/ 
#   - http://www.squid-cache.org/Doc/
# 

visible_hostname squid

# The default log formats available (which do not need re-defining) are:
#logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log daemon:/var/log/squid/access.log combined


# acls for ports allowed
acl safe_ports port 80          # http
acl safe_ports port 443         # https

# acl for whitelisting domains
acl whitelist_domains dstdomain "/etc/squid/whitelist_domains.txt"

# acl for browser user agents 
acl useragent_bypass browser "/etc/squid/useragents_bypass_regex.txt"

# acl for hosts
acl host_bypass src "/etc/squid/hosts_bypass.txt"

# acls for use with host AND user agent combo rule
acl host_and_useragent_ualist_bypass browser
"/etc/squid/host_AND_useragent_useragentlist_bypass.txt"
acl host_and_useragent_hostlist_bypass src
"/etc/squid/host_AND_useragent_hostlist_bypass.txt"


acl CONNECT method CONNECT



#Handling HTTP requests
#http_port 3128         # will need this live for squid v4
http_port 3129 intercept

#Handling HTTPS requests
# transparent proxy option
#https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept

# full ssl intercept option
https_port 3130 ssl-bump intercept cert=/etc/squid/ssl_cert/mySquidCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 10MB

# for ver 4.x
#sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M
10MB


# bump everything 
ssl_bump stare all
ssl_bump bump all

# delay filtering decisions until we get to bumped requests 
http_access allow CONNECT safe_ports
http_access deny CONNECT

# filter plain and bumped requests 
# allow specified hosts to bypass
http_access allow host_bypass

# allow specified useragents to bypass
http_access allow useragent_bypass

# allow combo of host + useragent to bypass
http_access allow host_and_useragent_ualist_bypass
host_and_useragent_hostlist_bypass

# allow only whitelisted domains if above rules haven't bypassed it yet
http_access allow whitelist_domains

# finally, deny all other access to this proxy
http_access deny all




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html