[squid-users] squid-users Digest, Vol 30, Issue 3

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 2 13:08:40 UTC 2017

On 3/02/2017 1:22 a.m., Sergey Klusov wrote:
>> Date: Thu, 2 Feb 2017 03:46:44 +1300
>> From: Amos Jeffries
>> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>>> Hello. I'm trying to get working transparent setup allowing only certain
>>> domains and have problem that in order to allow https "ssl_bump splice
>>> allowed_domains" i have to "http_access allow all", thus allowing all
>>> other http traffic through. Otherwise https traffic is not allowed at
>>> all.

>>> sslproxy_cert_error allow all
>>> sslproxy_flags DONT_VERIFY_PEER
>> Not good. Remember this is a security protocol you are playing around
>> with.
>> Both of the above lines hide critical details you need to figure out
>> what is going wrong. They can be useful as a spot-check (only!) to
>> figure out if the problem is related to cert verification or something
>> else. But DO NOT use them for regular traffic, not even testing traffic.
>> You may find that there are certain _specific_ errors that you need to
>> let through. Add the appropriate flags, SSL options, ACLs checks
>> sslproxy_cert_error lines for those as needed, dont just ignore all
>> possible errors like above does.
> this setup only purpose is to just allow clients to connect only to
> small set of certain sites
> i suppose client's browser will do all checks?

What the browser sees is the stuff inside the spliced connections. Which
does not go near these sslproxy_* directives.

sslproxy_* are for Squid<->Internet connections. Errors here will never
get seen by any browser and in your setup will probably be from wrongly
bump'ed traffic, so you better be aware of those problems.

>> To fix it in a very targeted way add these lines (mind the wrap sorry):
>>   acl rawIP dstdom_regex
>> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>>   acl bumpPort myportname
>>   http_access allow CONNECT bumpPort rawIP
> i've worked around like this:
> acl http_proto proto http
> http_access allow !http
> but will try your variant too
> thanks.

FYI: my ACLs were being very strict. Ensuring only allow for CONNECT
requests which are coming from the port with ssl-bump, and also going to
port 443 (HTTPS).

Just allowing all non-http:// URLs through the proxy is not much better
than 'allow all'.


More information about the squid-users mailing list