[squid-users] How to perform regex only after Squid knows the full url with SslBump

laviier laviier at gmail.com
Mon Mar 23 15:20:30 UTC 2020


Thank you for the suggestion!

I did think of allowing the domain name first during CONNECT phase, and
then the full URL after connection established. However, other paths under
the same site wont be blocked.

i.e. I can ask Squid to let example.com pass through during CONNECT, and
then let example.com/abc/logcin pass through after connection established.
However, this will let other paths of example.com pass Squid too (such as
example.com/not_to_pass) because the it passes the ACL check during CONNECT
phase.



On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 3/20/20 5:48 PM, laviier wrote:
> > Hi,
> >
> > I have a use case that I want to access a certain URL path of a domain
> but
> > not other. i.e. I want client to be able to access example.com/abc/login
> ,
> > but not other paths.
> >
> > Hence, I created ACL rule to achieve that, see below:
> >
> > ```
> > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> > acl http port 80
> > acl https port 443
> > acl connect method CONNECT
> >
> > http_access allow all to_domain_whitelist
> > http_access deny all
> >
> > http_reply_access allow all
> >
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> >
> > ssl_bump peek step3
> > ssl_bump bump all
> > ```
> >
> > However the above code does not work properly, the URL regex matching
> > happens before Squid performs decryption so that it can only match
> against
> > the host name instead of full URL path. I wonder if there's a way to
> perform
> > the URL regex only after Squid knows the full url with SslBump? Below is
> a
> > briefing of the log. Thank you so much!!!!
> > ```
> > ---------
> > CONNECT example.com:443 HTTP/1.1
> > Host: example.com:443
> > User-Agent: curl/7.54.0
> > Proxy-Connection: Keep-Alive
> > X-Forwarded-For: xx.xxx.xx.xx
> > ----------
> > ...
> > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> > to_domain_whitelist = 0
> > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> > clientAccessCheckDone: The request CONNECT example.com:443 is DENIED;
> last
> > ACL checked: all
> > ...
>
> If you want to make allow/deny decision based on individual request
> URLs, your http_access rules must allow the CONNECT request. Once Squid
> establishes (and bumps) the CONNECT tunnel, it will start processing
> individual requests and apply http_access rules to each of them.
>
> To allow a CONNECT request, do not use regular URL syntax because
> CONNECT requests use a different URI syntax. Sorry, I do not know
> whether a url_regex ACL can be used for CONNECT URIs, but you can use
> other ACLs if/as needed, of course.
>
>
> HTH,
>
> Alex.
>
>
> > ---------
> > GET /abc/login HTTP/1.1
> > Host: example.com
> > User-Agent: curl/7.54.0
> > Accept: */*
> > ----------
> > ....
> > ```
> >
> >
> >
> > --
> > Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200323/aff324bf/attachment.html>


More information about the squid-users mailing list