[squid-users] URL Regex ACLs Don't Evaluate After Bumping
Alex Rousskov
rousskov at measurement-factory.com
Thu Nov 1 23:21:24 UTC 2018
On 11/1/18 2:46 PM, Shane Poage wrote:
> I have my proxy configured to bump all traffic so that the
> urlpath_regex ACL can be applied, but it appears to not have any
> effect post-bump.
Your proxy will deny any first post-bump request and close the tunnel
because you deny all CONNECT requests that initiate tunnels. CONNECT
requests do not have a URL path so they will never match your
"http_access allow" rule.
When a CONNECT request is denied by a bumping Squid, that Squid bumps
the tunnel and then denies the very first bumped request on that tunnel,
whatever that request is. This delayed error return is done to deliver
the "access denied" error page to the client -- browsers ignore CONNECT
error responses.
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl_certs/artifactory_mitm_ca.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB
> ssl_bump bump all
> acl artifactory_repo_filter urlpath_regex ^/artifactory
> http_access allow artifactory_repo_filter
>
> # And finally deny all other access to this proxy
> http_access deny all
Insert an http_access rule to allow all safe CONNECT requests before you
deny everything else. IIRC, squid.conf.default has an example of how to
do that.
Alex.
More information about the squid-users
mailing list