[squid-users] Cannot access https site

Alex Rousskov rousskov at measurement-factory.com
Mon May 15 17:25:12 UTC 2017

On 05/15/2017 09:53 AM, Vieri wrote:

> My goal is to set up Squid so it can act as a transparent proxy for
> local clients browsing the web. It should "deny all" except traffic
> to the destination domains included in an ACL file.

> http_access deny intercepted !localnet
> http_access deny interceptedssl !localnet
> http_access deny !allowed_domains
> http_access allow localnet
> ssl_bump stare all
> ssl_bump bump all

> What am I doing wrong?

You are denying fake CONNECT requests during SslBump step1. During that
step, intercepted SSL connections are represented by fake CONNECT
requests with IP addresses (not domain names). Such requests will often
match your "http_access deny !allowed_domains" rule. See "Step 1"
description at http://wiki.squid-cache.org/Features/SslPeekAndSplice

What you probably want is to allow all reasonable fake CONNECT requests
during that step. There are several ways to do that, and I hope others
on the list can help you with that if you cannot figure it out. Please
do not forget to post your Squid version if you need further help (and
use the latest v3.5 or later if you are doing SslBump, regardless of
what your OS packages for you).

Some other configuration aspects are (or may be considered by some)
wrong as well, but it is best to fix one SslBump problem at a time IMHO.

> Also, would I have performance issues if the "allowed.domains" ACL
> file becomes very big over time?

Naturally, the more domains you have, the slower ACL checks become. 1000
domains is not a problem, but 1000 million domains usually is. Define
"very big" and "performance issues".



More information about the squid-users mailing list