[squid-users] [EXTERNAL] Re: Ubuntu 18 with Squid 4.11 SSL_BUMP

Anthony Mead ANTHONY_MEAD at progressive.com
Wed Apr 29 20:15:09 UTC 2020 

Thanks!  I've re-compiled without the unnecessary flag, and restarted the service with a new whitelist, unfortunately i'm getting such a varying of /var/log/squid/access.log messages that I'm not sure what to google anymore.

I want to deny all access to external sites except http/https github.com but some sites seem to connect, while others don't:

~$ # this is correct
~$ curl http://github.com/
10.0.1.180 TCP_MISS/301 200 GET http://github.com/

~$ # this is correct
~$ curl https://github.com/ 
10.0.1.180 TCP_TUNNEL/200 107323 CONNECT 140.82.114.4:443

~$ # this should deny
~$ curl https://youtube.com/
10.0.1.180 TCP_TUNNEL/200 4844 CONNECT 172.217.15.110:443

~$ # this should deny
~$ curl https://google.com/
10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.2.110:443

~$ # this is denying - but not from squid, but openssl?
~$ curl https://news.ycombinator.com/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443
10.0.1.180 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443



On 4/29/20, 2:59 PM, "squid-users on behalf of Amos Jeffries" <squid-users-bounces at lists.squid-cache.org on behalf of squid3 at treenet.co.nz> wrote:

    On 30/04/20 4:10 am, AMead wrote:
    > 1. Compiled Squid 4.11 on Ubuntu 18 T3 EC2 instance:
    > 
    > ./configure \

    ...
    >     --with-openssl \
    >     --enable-ssl \

    "--enable-ssl" is not a Squid build option.

    >     --enable-ssl-crtd
    > 
    > 
    > 2. Initialized the ssl database:
    > 
    > sudo /usr/libexec/squid/security_file_certgen -c -s /var/cache/squid/ssl_db
    > -M 4MB
    > 
    > 
    > 3. I've tried to read through a few similar posts, and got something
    > reasonably working for the allowance, but now it's appearing to allow
    > everything:
    > 
    >> /etc/squid/whitelist.txt
    > *.github.com
    > 

    This is not dstdomain syntax. Remove the "*" character.


    Amos
    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list