[squid-users] How to perform regex only after Squid knows the full url with SslBump

laviier laviier at gmail.com
Fri Mar 20 21:48:49 UTC 2020


I have a use case that I want to access a certain URL path of a domain but
not other. i.e. I want client to be able to access example.com/abc/login,
but not other paths.

Hence, I created ACL rule to achieve that, see below:

acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
acl http port 80
acl https port 443
acl connect method CONNECT

http_access allow all to_domain_whitelist
http_access deny all

http_reply_access allow all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step3
ssl_bump bump all

However the above code does not work properly, the URL regex matching
happens before Squid performs decryption so that it can only match against
the host name instead of full URL path. I wonder if there's a way to perform
the URL regex only after Squid knows the full url with SslBump? Below is a
briefing of the log. Thank you so much!!!!
CONNECT example.com:443 HTTP/1.1
Host: example.com:443
User-Agent: curl/7.54.0
Proxy-Connection: Keep-Alive
X-Forwarded-For: xx.xxx.xx.xx
2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
to_domain_whitelist = 0
2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
ACL checked: all
GET /abc/login HTTP/1.1
Host: example.com
User-Agent: curl/7.54.0
Accept: */*

Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list