[squid-users] transparent http and https filter with white-list only

Sergey Klusov snklusov at gmail.com
Fri Jan 27 11:36:52 UTC 2017 

Hello. I'm trying to get working transparent setup allowing only certain 
domains and have problem that in order to allow https "ssl_bump splice 
allowed_domains" i have to "http_access allow all", thus allowing all 
other http traffic through. Otherwise https traffic is not allowed at all.

Here is my config:

=======config=======
http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
https_port 10.96.243.1:3129 intercept ssl-bump 
options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off 
cert=/etc/squid/squidCA.pem
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice https_allow
ssl_bump terminate all

cache deny all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow all http_allow
http_access allow all https_allow
http_access deny all

always_direct allow all

coredump_dir /var/spool/squid

refresh_pattern .               0       0%      0

logformat ssl %ts.%03tu %6tr %>a %la:%lp %Ss/%03>Hs %<st %rm %ssl::>sni 
%ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log logformat=ssl
================cut==============

files with domain names:
=====================
# cat http_allow_domains.txt
.google.com
# cat https_allow_domains.txt
.google.com
=====================

With this config http filtering works and https://google.com request 
gets replied with self-signed squid deny message.
If i replace "http_access deny all" with "http_access allow all", https 
filtering starts working, allowing https://google.com and resetting 
other https requests, BUT it allows any http traffic as well!

What do i do wrong?
I need my server to pass "/etc/squid/http_allow_domains.txt" HTTP and 
"/etc/squid/https_allow_domains.txt" HTTPS domains ONLY.

More information about the squid-users mailing list