[squid-users] Whitelist ONLY exception isn't working correctly

Amos Jeffries squid3 at treenet.co.nz
Sun May 13 08:11:57 UTC 2018


On 13/05/18 13:55, Martin Hanson wrote:
> 
> This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong.
> 

The comments on this config tell a story of some misunderstandings ...

> <SNIP>
> acl step1 at_step SslBump1
> acl localnet src 192.168.1.0/24
> 
> # These boxes may ONLY access the whitelist.
> acl windows_boxes src 192.168.1.201 192.168.1.202
> 
> acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com
> 
> # We don't want the whitelist to be cached.
> cache deny whitelist

"store_miss deny whitelist" is the current way to do this.


> 
> # We want direct access on the whitelist.
> always_direct allow whitelist

"DIRECT" access is always allowed, all this does is prevents cache_peer
being used. You have no cache_peer - so the above line is pointless.

> 
> # Don't redirect to SquidGuard.
> redirector_access deny whitelist

Er. The idea that SquidGuard is redirected *to* is wrong. SG is the
agent _doing_ the redirection.

What the above does is prevent SG having any part of the whitelist
transactions. And redirector_access was deprecated by url_rewrite_access
years ago.

> 
> # We only redirect HTTP and HTTPS.
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes.
> http_access deny windows_boxes !whitelist
> 
> http_access allow localhost
> http_access allow localnet
> 
> http_access deny all
> 
> # We'll intercept trafic using PF.
> http_port 127.0.0.1:3129 intercept
> https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslproxy_cafile /usr/local/openssl/cabundle.file
> 
> # Become a TCP tunnel without decrypting proxied traffic for the whitelist.
> ssl_bump splice whitelist
> ssl_bump peek step1
> ssl_bump bump all
> 
> # We want the query strings as well.
> strip_query_terms off
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
> 
> redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf


redirect_program is deprecated by url_rewrite_program.

Also, Squidguard is deprecated. Convert basic SG actions into squid.conf
actions where possible. And/or, use ufdbguard as a direct drop-in
replacement that can handle HTTPS and modern Squid helper protocols.

Amos


More information about the squid-users mailing list