[squid-users] squid-users Digest, Vol 30, Issue 3
squid3 at treenet.co.nz
Thu Feb 2 13:08:40 UTC 2017
On 3/02/2017 1:22 a.m., Sergey Klusov wrote:
>> Date: Thu, 2 Feb 2017 03:46:44 +1300
>> From: Amos Jeffries
>> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>>> Hello. I'm trying to get working transparent setup allowing only certain
>>> domains and have problem that in order to allow https "ssl_bump splice
>>> allowed_domains" i have to "http_access allow all", thus allowing all
>>> other http traffic through. Otherwise https traffic is not allowed at
>>> sslproxy_cert_error allow all
>>> sslproxy_flags DONT_VERIFY_PEER
>> Not good. Remember this is a security protocol you are playing around
>> Both of the above lines hide critical details you need to figure out
>> what is going wrong. They can be useful as a spot-check (only!) to
>> figure out if the problem is related to cert verification or something
>> else. But DO NOT use them for regular traffic, not even testing traffic.
>> You may find that there are certain _specific_ errors that you need to
>> let through. Add the appropriate flags, SSL options, ACLs checks
>> sslproxy_cert_error lines for those as needed, dont just ignore all
>> possible errors like above does.
> this setup only purpose is to just allow clients to connect only to
> small set of certain sites
> i suppose client's browser will do all checks?
What the browser sees is the stuff inside the spliced connections. Which
does not go near these sslproxy_* directives.
sslproxy_* are for Squid<->Internet connections. Errors here will never
get seen by any browser and in your setup will probably be from wrongly
bump'ed traffic, so you better be aware of those problems.
>> To fix it in a very targeted way add these lines (mind the wrap sorry):
>> acl rawIP dstdom_regex
>> acl bumpPort myportname 10.96.243.1:3129
>> http_access allow CONNECT bumpPort rawIP
> i've worked around like this:
> acl http_proto proto http
> http_access allow !http
> but will try your variant too
FYI: my ACLs were being very strict. Ensuring only allow for CONNECT
requests which are coming from the port with ssl-bump, and also going to
port 443 (HTTPS).
Just allowing all non-http:// URLs through the proxy is not much better
than 'allow all'.
More information about the squid-users