[squid-users] regex for normal websites
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Fri Aug 5 11:35:23 UTC 2022
OK Robert,
I have seen the issue you were having and indeed it’s because cloudflare understands that there is some kind of MITM in the path.
It’s good but there should be a way to allow such MITM from cloudflare side.
I believe that the cloudflare client should have the ability to allow or disallow MITM such as squid to allow caching on the path.
However in this specific case EpicGames like Microsoft transfer their actual updates over http and allow caching so it’s OK.
The next squid.conf is working but I have not tested it with squidGuard on.
I can test it with squidGuard next week:
## START
workers 2
visible_hostname can-proxy-1
forwarded_for delete
via off
host_verify_strict off
client_dst_passthru on
read_ahead_gap 64 MB
shutdown_lifetime 10 seconds
acl fetched_certificate transaction_initiator certificate-fetching
acl deny_note note verdict deny
acl NoBump_server_name ssl::server_name "/etc/squid/no-ssl-bump-server-name.list"
acl dst_quixel ssl::server_name .epicgames.com epicgames-download1.akamaized.net .unrealengine.com
acl dst_quixel_dstdomain dstdomain .epicgames.com epicgames-download1.akamaized.net .unrealengine.com
acl Bump_server_name ssl::server_name "/etc/squid/ssl-bump-server-name.list"
acl fetched_certificate transaction_initiator certificate-fetching
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
acl tls_to_splice any-of NoBump_server_name
acl tls_to_bump any-of Bump_server_name
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow fetched_certificate
http_access allow localnet dst_quixel_dstdomain
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump dynamic_cert_mem_cache_size=16MB generate-host-certificates=on cert=/etc/squid/certs/squid-ca-cert-key.pem
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl -M 16MB
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE
ssl_bump peek tls_s1_connect
ssl_bump bump deny_note
ssl_bump splice dst_quixel
ssl_bump splice tls_to_splice
ssl_bump stare tls_s2_client_hello
ssl_bump bump tls_to_bump
strip_query_terms off
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
## END
Let me know if it gives enough details for you to understand how to implement this.
By the way, a great proxy config you’v got there.
Demo of the diff:
https://cloud1.ngtech.co.il/static/squid-data/splice-epic-games-1.mp4
And a support-save of the setup:
https://cloud1.ngtech.co.il/static/squid-data/support-save-2022-08-05_14-16-59.tar.gz
I have used latest ngtech squid5.6 rpms from my repo.
Let me know if you need more assistance with your setup.
Yours,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: robert k Wild <robertkwild at gmail.com>
Sent: Friday, 5 August 2022 13:24
To: Eliezer Croitoru <ngtech1ltd at gmail.com>
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] regex for normal websites
wow thanks Eliezer so much for that video, that website looks awesome, ive bookmarked it already
On Thu, 4 Aug 2022 at 09:59, <ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com> > wrote:
Hey Robert,
I recorded this video for you:
https://cloud1.ngtech.co.il/static/squid-data/regex-for-robert.mp4
This is what I did when I reviewed the question.
I hope it will help you and others use this tool:
https://rubular.com/
and squid.
If you have any question regarding REGEX here we are welcoming every question.
All The Bests and Hope This Helps,
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
From: squid-users <squid-users-bounces at lists.squid-cache.org <mailto:squid-users-bounces at lists.squid-cache.org> > On Behalf Of robert k Wild
Sent: Wednesday, 3 August 2022 14:52
To: Squid Users <squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> >
Subject: Re: [squid-users] regex for normal websites
thanks Amos for this greatly appreciated
On Wed, 3 Aug 2022 at 09:35, Matus UHLAR - fantomas <uhlar at fantomas.sk <mailto:uhlar at fantomas.sk> > wrote:
On 03.08.22 14:12, Amos Jeffries wrote:
>IMO, what you are looking for is actually this ACL definition:
>
> acl adobe ssl::server_name .adobe.com <http://adobe.com>
>
>or its regex equivalent,
>
> acl adobe ssl::server_name_regex (^|\.)adobe\.com$
this is what I was searching for. Squid FAQ says:
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains
www.example.com <http://www.example.com> matches the exact host www.example.com <http://www.example.com> , while .example.com <http://example.com>
matches the entire domain example.com <http://example.com> (including example.com <http://example.com> alone)
but I wasn't sure if this matching also applies to ssl::server_name.
thanks
--
Matus UHLAR - fantomas, uhlar at fantomas.sk <mailto:uhlar at fantomas.sk> ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220805/3e576266/attachment-0001.htm>
More information about the squid-users
mailing list