[squid-users] HTTPS site filtering

Fri Jan 20 17:45:37 UTC 2017

On 21/01/2017 5:52 a.m., roadrage27 wrote:
> I was able to resolve my issue partially.  I burned down the server and
> rebuilt it clean so all previous changes that were made attempting to make
> SSL work were gone.  Once i reloaded squid and the config files i was able
> to allow SSL traffic using the dstdomain acl type.  I currently have a few
> URLS that are regex type that need to be allowed so im currently cranking
> out those.
> 
> On Fri, Jan 20, 2017 at 8:36 AM roadrage27 wrote:
> 
>>> That tells me either you have screwed up the CONNECT ACL definition. Or
>>> the SSL_ports one.
>> Very possible as im pretty green on squid, my current conf file is below.
>>  with that conf the SSL sites just sit and spin until the eventually time
>> out.
>>
>> acl site_squid_art url_regex ^http://www.squid-cache.org/Artwork
>> acl keepgoing dstdomain .plateau.com .skillwsa.com .successfactors.com
>>

Whats the idea behind this "keepgoing" ACL ?
 Is this proxy supposed to have reverse-proxy duties for them?

>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow keepgoing
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> #http_access allow CONNECT SSL_ports
>> http_access allow localhost manager
>> http_access allow site_squid_art
>> http_access allow localhost
>>

I see no 'localnet' ACL use. If this proxy is supposed to be servicing
LAN clients, that will be needed and the keepgoing and artwork ACLs
probably not needed.

The final "http_access deny all" is missing as well. Squid is just doing
that impicitly anyway. So its more needed to remind you of what is
happening and prevent possible mistakes implicitly allowing lots of
unexpected things through the proxy later.

>>
>> http_port 3132
>>
>>
>> access_log /var/log/squid3/squid3132.log squid
>>
>> pid_filename /var/run/squid3132.pid
>> coredump_dir /var/spool/squid3
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

FYI: The above commented out line is rather critical to the correct
behaviour for dynamic web content.

If the server is not producing the required cache controls dynamically
changing data should not be allowed to store for one second, let alone
the default 7 days.

>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>> #refresh_pattern . 0 20% 4320
>>

Whats the point of commenting that out?

Amos