[squid-users] How to perform regex only after Squid knows the full url with SslBump

Alex Rousskov rousskov at measurement-factory.com
Sun Mar 22 15:19:00 UTC 2020


On 3/20/20 5:48 PM, laviier wrote:
> Hi,
> 
> I have a use case that I want to access a certain URL path of a domain but
> not other. i.e. I want client to be able to access example.com/abc/login,
> but not other paths.
> 
> Hence, I created ACL rule to achieve that, see below:
> 
> ```
> acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> acl http port 80
> acl https port 443
> acl connect method CONNECT
> 
> http_access allow all to_domain_whitelist
> http_access deny all
> 
> http_reply_access allow all
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> ssl_bump peek step3
> ssl_bump bump all
> ```
> 
> However the above code does not work properly, the URL regex matching
> happens before Squid performs decryption so that it can only match against
> the host name instead of full URL path. I wonder if there's a way to perform
> the URL regex only after Squid knows the full url with SslBump? Below is a
> briefing of the log. Thank you so much!!!!
> ```
> ---------
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> X-Forwarded-For: xx.xxx.xx.xx
> ----------
> ...
> 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> to_domain_whitelist = 0
> 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
> ACL checked: all
> ...

If you want to make allow/deny decision based on individual request
URLs, your http_access rules must allow the CONNECT request. Once Squid
establishes (and bumps) the CONNECT tunnel, it will start processing
individual requests and apply http_access rules to each of them.

To allow a CONNECT request, do not use regular URL syntax because
CONNECT requests use a different URI syntax. Sorry, I do not know
whether a url_regex ACL can be used for CONNECT URIs, but you can use
other ACLs if/as needed, of course.


HTH,

Alex.


> ---------
> GET /abc/login HTTP/1.1
> Host: example.com
> User-Agent: curl/7.54.0
> Accept: */*
> ----------
> ....
> ```
> 
> 
> 
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list