[squid-users] Whitelist ONLY exception isn't working correctly

Martin Hanson greencoppermine at yandex.com
Mon May 14 00:49:19 UTC 2018 

I have enabled debugging and found something quite strange.

In order to better debug I have limited the whitelist to two domains, one HTTP and one with HTTPS:

acl whitelist ssl::server_name .ubuntu.com .sundkat.dk

When I go to http://www.sundkat.dk, which is a HTTP domain, I get the following:

2018/05/14 02:42:49.859 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request GET http://www.sundkat.dk/ is ALLOWED; last ACL checked: whitelist

But when I go to https://www.ubuntu.com, I get the following:

2018/05/14 02:43:44.262 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 91.189.89.103:443 is DENIED; last ACL checked: all

It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working. But this is ONLY for the "windows_boxes", for everything else it's working as it should.

I don't understand what's going on here.

I am re-posting my entire squid.conf here again just to keep things complete:

<SNIP>
debug_options ALL,2

max_filedesc 4096

acl step1 at_step SslBump1
acl localnet src 192.168.1.2-192.168.1.200

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .ubuntu.com .sundkat.dk

# We don't want these to be cached.
store_miss deny whitelist

# Don't let SquidGuard do anything with the whitelisted domains.
url_rewrite_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# THIS ISN'T WORKING!!!
http_access allow windows_boxes whitelist

http_access allow localhost
http_access allow localnet

http_access deny all

# We'll intercept trafic using PF from clan.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

Kind regards.

More information about the squid-users mailing list