[squid-users] HTTPS sites specifics URL

Dante F. B. Colò dante01010 at gmail.com
Wed Feb 8 12:07:32 UTC 2017


Hi Amos,

What i'm trying to do is allow the url "www.sans.org/programs" as an 
example, the acl  file "restrito" contain this URL but it's not working, 
https urls are working only with the domain part which in this case i 
have to remove "/programs"



On 2/8/17 1:40 AM, Amos Jeffries wrote:
> On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:
>> Hi Leonardo,
>>
>> Thanks for your reply,I tried SSL Bump under client-first and
>> server-first modes both didn't work, Squid version is 3.4.14 running
>> under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
>> 9 of the URL Parsing debug section to see if shows something useful , i
>> 'll post here my squid.conf and debug output from cache.log, if you
>> have some suggestion tell me please.
>>
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: asndb
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: carp
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: userhash
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: sourcehash
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: server_list
>> 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
>> 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
>> entering clientListenerConnectionOpened(local=172.17.198.19:3128
>> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
>> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
>> clientListenerConnectionOpened [call27542]
>> 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
>> connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
>> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
>> leaving clientListenerConnectionOpened(local=172.17.198.19:3128
>> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
>> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
>> connection on FD 18
>> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
>> connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
>> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
>> HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
>> flags=1
>> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
>> HTTP Client REQUEST:
>> ---------
>> CONNECT www.sans.org:443 HTTP/1.1
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
>> Gecko/20100101 Firefox/45.0
>> Proxy-Connection: keep-alive
>> Connection: keep-alive
>> Host: www.sans.org:443
>> Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=
>>
>>
>> ----------
> ...
>> 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
>> 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
> ... the "password" ACL works.
>
> ... the "jeca.tatu" ACL is redundant.
>
>> 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
>> clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
>> last ACL checked: all
> ... the "restrito" ACL does not match "www.sans.org:443".
>
> ... the "deny all" blocks this CONNECT request.
>
>
>> 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
>> connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
>> FD 9 flags=1 from SSL-bumped CONNECT
> ... Squid then goes on a bumps the request. But only so that it can
> deliver the error message in a way which browsers will display.
>
>> 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
>> clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
>> FD 9 (172.17.200.11:50974)
> ...
>> 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
>> sendStartOfMessage: HTTP Client REPLY:
>> ---------
>> HTTP/1.1 403 Forbidden
>> Server: squid/3.4.12
>> Mime-Version: 1.0
>> Date: Tue, 06 Dec 2016 21:33:05 GMT
>> Content-Type: text/html
>> Content-Length: 3342
>> X-Squid-Error: ERR_ACCESS_DENIED 0
>> Vary: Accept-Language
>> Content-Language: en
>> X-Cache: MISS from openbsd57vm01
>> Via: 1.1 openbsd57vm01 (squid/3.4.12)
>> Connection: close
>>
>> #################################################################
>>
>> my squid.conf
>>
> ...
>> acl password proxy_auth REQUIRED
>> acl jeca.tatu proxy_auth jeca.tatu
>> acl restrito url_regex -i  "/etc/squid/acl/restrito"
>> http_access allow password jeca.tatu restrito
>> http_access deny all
>>
>> http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
>> cert=/etc/squid/pki/test.cert
>> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> always_direct allow all
> You dont need that "always_direct allow all". It was a workaround for a
> 3.1 bug which is long since fixed.
>
>> ssl_bump client-first all
>> sslproxy_cert_error allow all
>> sslproxy_cert_error allow BadSite
>> sslproxy_flags DONT_VERIFY_PEER
> Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
> partiularly for testing. You *want* to see what problems are when debugging.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list