[squid-users] Whitelist ONLY exception isn't working correctly

Martin Hanson greencoppermine at yandex.com
Sun May 13 01:55:56 UTC 2018 

Hi,

I have a setup with a PF firewall that intercepts HTTP and HTTPS traffic and forwards that to Squid. Squid is setup to log all traffic and it uses a SSL bump for the HTTPS traffic.

In the setup I have a whitelist of domains that doesn't get logged, the rest of the traffic gets logged and redirected to SquidGuard for further blacklisting. All that works great.

What I cannot figure out is how to add a couple of local IP addresses that can ONLY access the whitelist (or possibly ANOTHER whitelist) and nothing else on the Internet.

The ACL for the "windows_boxes" is the one that is supposed to ONLY access the whitelisted domains. However, when I enter the URL https://www.mojang.com I get a "Access denied". However, if I add a NON-SSL domain to the whitelist, then those works.

This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong.

<SNIP>
acl step1 at_step SslBump1
acl localnet src 192.168.1.0/24

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com

# We don't want the whitelist to be cached.
cache deny whitelist

# We want direct access on the whitelist.
always_direct allow whitelist

# Don't redirect to SquidGuard.
redirector_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes.
http_access deny windows_boxes !whitelist

http_access allow localhost
http_access allow localnet

http_access deny all

# We'll intercept trafic using PF.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

Any feedback would be greatly appreciated! Thank you in advance!

Kindest regards.

More information about the squid-users mailing list