[squid-users] SslBump Peek and Splice using Squid-4.1-5 in Amazon1 Linux with Squid Helpers

Enrico Heine flashdown at data-core.org
Tue Dec 11 17:53:23 UTC 2018

Dear Mike, 

Please checkout the following and let us know if you need further help. 


Best regards,


Am 11. Dezember 2018 16:41:56 MEZ schrieb Mike Quentel <mike.quentel.rbc at gmail.com>:
>Hi, I have been unsuccessfully trying to get Squid-4.1-5 in AWS
>(Amazon 1 Linux) to allow transparent proxy of certain domains, as
>well as IPs associated with those domains, whilst rejecting everything
>I have been referencing documentation at
>Version of Squid: 4.1-5 for Amazon 1 Linux available at
>http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/ (many thanks to
>@elico for these packages) specifically, the following:
>Example of tests that I am running:
>1) curl -kv https://service.us2.sumologic.com (EXPECTED: successfully
>accessed; OBSERVED: successfully accessed)
>2) curl -kv (EXPECTED: successfully accessed
>because it resolves to service.us2.sumologic.com; OBSERVED:
>"Certificate does not match domainname"  [No Error] (TLS code:
>3) curl -kv https://www.google.com (EXPECTED: failed to access;
>OBSERVED: failed to access)
>4) curl -kv (EXPECTED: failed to access;
>OBSERVED: "Certificate does not match domainname"  [No Error] (TLS
>Below is the latest version of the squid.conf being used. Apologies
>for any obvious errors--new to Squid here. I have been grappling with
>this for weeks, with many iterations of squid.conf so any advice is
>greatly appreciated; many thanks in advance.
>visible_hostname squid
>host_verify_strict off
># Handling HTTP requests
>http_port 3128
>http_port 3129 intercept
>sslcrtd_children 10
># AWS services domain
>acl allowed_http_sites dstdomain .amazonaws.com
># docker hub registry
>acl allowed_http_sites dstdomain .docker.io
>acl allowed_http_sites dstdomain .docker.com
>acl allowed_http_sites dstdomain www.congiu.net
># Handling HTTPS requests
># https_port 3130 intercept ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem
>https_port 3130 intercept ssl-bump dynamic_cert_mem_cache_size=100MB
>acl SSL_port port 443
># AWS services domain
>acl allowed_https_sites ssl::server_name .amazonaws.com
># docker hub registry
>acl allowed_https_sites ssl::server_name .docker.io
>acl allowed_https_sites ssl::server_name .docker.com
># project specific
>acl allowed_https_sites ssl::server_name www.congiu.net
>acl allowed_https_sites ssl::server_name mirrors.fedoraproject.org
>acl allowed_https_sites ssl::server_name mirror.csclub.uwaterloo.ca
># nslookup resolved IPs for collectors.sumologic.com
># workaround solution to support sumologic collector
>acl allowed_https_sites ssl::server_name .sumologic.com
># acl allowed_https_sites ssl::server_name --server-provided
>service.sumologic.com sslflags=DONT_VERIFY_PEER
># acl allowed_https_sites ssl::server_name --server-provided
>service.us2.sumologic.com sslflags=DONT_VERIFY_PEER
>acl step1 at_step SslBump1
>acl step2 at_step SslBump2
>acl step3 at_step SslBump3
>ssl_bump peek step1 all
>ssl_bump peek step2 allowed_https_sites
>ssl_bump bump
>ssl_bump splice step3 allowed_https_sites
>ssl_bump bump
>ssl_bump terminate step2 all
>http_access allow CONNECT
># http_access allow SSL_port
>http_access deny CONNECT !allowed_https_sites
>http_access deny CONNECT !allowed_http_sites
>http_access allow allowed_https_sites
>http_access allow allowed_http_sites
>http_access deny all
>cache deny all
>debug_options "ALL,9"
>squid-users mailing list
>squid-users at lists.squid-cache.org

Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181211/f46270b6/attachment.html>

More information about the squid-users mailing list