[squid-users] How to perform regex only after Squid knows the full url with SslBump
laviier
laviier at gmail.com
Fri Mar 20 21:48:49 UTC 2020
Hi,
I have a use case that I want to access a certain URL path of a domain but
not other. i.e. I want client to be able to access example.com/abc/login,
but not other paths.
Hence, I created ACL rule to achieve that, see below:
```
acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
acl http port 80
acl https port 443
acl connect method CONNECT
http_access allow all to_domain_whitelist
http_access deny all
http_reply_access allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step3
ssl_bump bump all
```
However the above code does not work properly, the URL regex matching
happens before Squid performs decryption so that it can only match against
the host name instead of full URL path. I wonder if there's a way to perform
the URL regex only after Squid knows the full url with SslBump? Below is a
briefing of the log. Thank you so much!!!!
```
---------
CONNECT example.com:443 HTTP/1.1
Host: example.com:443
User-Agent: curl/7.54.0
Proxy-Connection: Keep-Alive
X-Forwarded-For: xx.xxx.xx.xx
----------
...
2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
to_domain_whitelist = 0
2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
ACL checked: all
...
---------
GET /abc/login HTTP/1.1
Host: example.com
User-Agent: curl/7.54.0
Accept: */*
----------
....
```
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list