[squid-users] [Fwd: Re: SSL Bump for regex URL comparison]

Joe Foster joe.e.foster at googlemail.com
Fri Nov 17 12:45:48 UTC 2017


Good morning,

I have tried the attached but I still receive the same result.

I have attached a screen shot to show what happens, its like there is no
connection. 

I have tried it with and without listing 3128 as a safe ssl port. I
imagine its not needed as its generated from Squid. 

HTTPS isn't connecting, HTTP is though that's no surprise, I'm only
diverting port 443 to port 3128. 

There are no logs being generated so I cant find out more. 

I can't for the life of me see what I'm doing wrong. 

Your advise if greatly received.

Thank you

Joe
 

I have the below rule added to my firewall for the redirect:
connection config redirect
        option proto 'tcp'
        option src 'lan'
        option src_ip '!192.168.1.101'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.1.101'
        option dest_port '3128'
        option target 'DNAT'



On Thu, 2017-11-16 at 10:38 +0100, Matus UHLAR - fantomas wrote:
> On 16.11.17 08:21, Joe Foster wrote:
> >The problem is the connections are not getting through. It just acts
like
> >there is no WiFi connection.
> 
> what exactly is the error? Does squid receive those connections?
> does squid reject them?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2017-11-17 09-36-42.png
Type: image/png
Size: 61597 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171117/5a5888b1/attachment-0001.png>
-------------- next part --------------
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl ssl_ports port 443
acl ssl_ports port 3128

acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1025-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl safe_ports port 3128
acl connect method connect

#acl ssl_ports port 3128
#http_port 3128 ssl-bump cert=/certs/myCA.pem

http_access deny !safe_ports
http_access deny connect !ssl_ports

http_access allow localhost manager
http_access deny manager

http_access deny to_localhost

acl bad_domain url_regex -i "/badwords"
acl good_domain url_regex -i "/safewords"

http_access deny bad_domain !good_domain
http_access allow good_domain

http_access allow localnet
http_access allow localhost

cache deny all

http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=50KB cert=/certs/myCA.pem

ssl_bump server-first all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /squid.log
cache_log /squid1.log
cache_store_log stdio:/squid2.log
logfile_rotate 0

logfile_daemon /dev/null


More information about the squid-users mailing list