[squid-users] [External] squid-users Digest, Vol 116, Issue 7
Francesco Chemolli
gkinkie at gmail.com
Wed Apr 10 15:43:12 UTC 2024
Have you checked https://www.squid-cache.org/Doc/config/logformat/ ?
There is a note about "logformat referrer", it should be what you are
looking for
On Wed, Apr 10, 2024 at 10:16 PM Bobby Matznick <bmatznick at pbandt.bank>
wrote:
> Question about squid, Debian version 4.13. Looking for a way to log
> referer’s. I see the way that worked up until version 4, seems this does
> not work anymore. I’m having some trouble finding if anything replaced it
> or if there’s another way to go about this? Here is the old way.
>
> referrer_log /pathname
>
>
>
> Thanks for any help you can provide!
>
>
>
> Bobby
>
>
>
> *From:* squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *squid-users-request at lists.squid-cache.org
> *Sent:* Friday, April 5, 2024 6:00 AM
> *To:* squid-users at lists.squid-cache.org
> *Subject:* [External] squid-users Digest, Vol 116, Issue 7
>
>
>
> *Caution:* This is an external email and has a suspicious subject or
> content. Please take care when clicking links or opening attachments. When
> in doubt, contact your IT Department
>
> Send squid-users mailing list submissions to
> squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
> squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
> squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Squid cache questions (Amos Jeffries)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 5 Apr 2024 14:17:16 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid cache questions
> Message-ID: <bef43696-be7f-463b-b82e-d4346abba2a5 at treenet.co.nz>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 4/04/24 17:48, Jonathan Lee wrote:
> > Is there any particular order to squid configuration??
> >
>
> Yes. <https://wiki.squid-cache.org/SquidFaq/OrderIsImportant>
>
>
> > Does this look correct?
> >
>
> Best way to find out is to run "squid -k parse", which should be done
> after upgrades as well to identify and fix changes between versions as
> we improve the output.
>
>
> > I actually get allot of hits and it functions amazing, so I wanted to
> > share this in case I could improve something. Is there any issues with
> > security?
>
> Yes, the obvious one is "DONT_VERIFY_PEER" disabling TLS security
> entirely on outbound connections. That particular option will prevent
> you even being told about suspicious activity regarding TLS.
>
> Also there are a few weird things in your TLS cipher settings, such as
> this sequence " EECDH+aRSA+RC4:...:!RC4 "
> Which as I understand, enables the EECDH with RC4 hash, but also
> forbids all uses of RC4.
>
>
> > I am concerned that an invasive container could become
> > installed in the cache and data marshal the network card.
> >
>
> You have a limit of 4 MB for objects allowed to pass through this proxy,
> exception being objects from domains listed in the "windowsupdate" ACL
> (not all Windows related) which are allowed up to 512 MB.
>
> For the general case, any type of file which can store an image of some
> system is a risk for that type of vulnerability can be cached.
>
> The place to fix that vulnerability properly is not the cache or Squid.
> It is the OS permissions allowing non-Squid software access to the cache
> files and/or directory.
>
>
>
> > Here is my config
> >
> > # This file is automatically generated by pfSense
> > # Do not edit manually !
>
> Since this file is generated by pfsense there is little that can be done
> about ordering issues and very hard to tell which of the problems below
> are due to pfsense and which due toy your settings.
>
> FWIW, there are no major issues, just some lines not being necessary due
> to setting things to their default values, or just some blocks already
> denyign things that are blocked previously.
>
>
> >
> > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
> cafile=/usr/local/share/certs/ca-root-nss.crt
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-dh=prime256v1:/etc/dh-parameters.2048
> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> >
> > http_port 127.0.0.1:3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> cert=/usr/local/etc/squid/serverkey.pem
> cafile=/usr/local/share/certs/ca-root-nss.crt
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-dh=prime256v1:/etc/dh-parameters.2048
> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> >
> > https_port 127.0.0.1:3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> cert=/usr/local/etc/squid/serverkey.pem
> cafile=/usr/local/share/certs/ca-root-nss.crt
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-dh=prime256v1:/etc/dh-parameters.2048
> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> >
> > icp_port 0
> > digest_generation off
> > dns_v4_first on
> > pid_filename /var/run/squid/squid.pid
> > cache_effective_user squid
> > cache_effective_group proxy
> > error_default_language en
> > icon_directory /usr/local/etc/squid/icons
> > visible_hostname ****
> > cache_mgr ****
> > access_log /var/squid/logs/access.log
> > cache_log /var/squid/logs/cache.log
> > cache_store_log none
> > netdb_filename /var/squid/logs/netdb.state
> > pinger_enable on
> > pinger_program /usr/local/libexec/squid/pinger
> > sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
> /var/squid/lib/ssl_db -M 4MB -b 2048
> > tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
> > tls_outgoing_options capath=/usr/local/share/certs/
> > tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> > tls_outgoing_options
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> > tls_outgoing_options flags=DONT_VERIFY_PEER
> > sslcrtd_children 10
> >
> > logfile_rotate 0
> > debug_options rotate=0
> > shutdown_lifetime 3 seconds
> > # Allow local network(s) on interface(s)
> > acl localnet src 192.168.1.0/27
> > forwarded_for transparent
> > httpd_suppress_version_string on
> > uri_whitespace strip
> >
> > acl getmethod method GET
> >
> > acl windowsupdate dstdomain windowsupdate.microsoft.com
> > acl windowsupdate dstdomain .update.microsoft.com
> > acl windowsupdate dstdomain download.windowsupdate.com
> > acl windowsupdate dstdomain redir.metaservices.microsoft.com
> > acl windowsupdate dstdomain images.metaservices.microsoft.com
> > acl windowsupdate dstdomain c.microsoft.com
> > acl windowsupdate dstdomain www.download.windowsupdate.com
> > acl windowsupdate dstdomain wustat.windows.com
> > acl windowsupdate dstdomain crl.microsoft.com
> > acl windowsupdate dstdomain sls.microsoft.com
> > acl windowsupdate dstdomain productactivation.one.microsoft.com
> > acl windowsupdate dstdomain ntservicepack.microsoft.com
> > acl windowsupdate dstdomain dc1-st.ksn.kaspersky-labs.com
> > acl windowsupdate dstdomain dc1-file.ksn.kaspersky-labs.com
> > acl windowsupdate dstdomain dc1.ksn.kaspersky-labs.com
> >
> > acl rewritedoms dstdomain .facebook.com .akamaihd.net .fbcdn.net .
> google.com .static.com .apple.com .oracle.com .sun.com .java.com .
> adobe.com .steamstatic.com .steampowered.com .steamcontent.com .google.com
> >
> > store_id_program /usr/local/libexec/squid/storeid_file_rewrite
> /var/squid/storeid/storeid_rewrite.txt
> > store_id_children 10 startup=5 idle=1 concurrency=0
> > always_direct allow !getmethod
> > store_id_access deny connect
> > store_id_access deny !getmethod
> > store_id_access allow rewritedoms
> > reload_into_ims on
> > max_stale 20 years
> > minimum_expiry_time 0
> >
>
>
> I am not sure how many of these refresh_pattern rules below are written
> by you, copy-pasted from elsewhere, or added automatically by pfsense.
> So how you need to fix the problems here is uncertain.
>
> That said, please consider removing all these override-* and ignore-*.
> <http://www.squid-cache.org/Doc/config/refresh_pattern/>
>
>
> >
> > refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod
> override-expire ignore-reload ignore-no-store ignore-must-revalidate
> ignore-private ignore-auth
> >
> > #APPLE STUFF
> > refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$
> 0 80% 43200 refresh-ims
> >
> > #apple update
> > refresh_pattern -i (download|adcdownload)apple.com/.*.(pkg|dmg) 4320
> 100% 43200
> > refresh_pattern -i appldnld.apple.com 129600 100% 129600
> > refresh_pattern -i phobos.apple.com 129600 100% 129600
> > refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600
> >
> > # Updates: Windows
> > refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$
> 4320 80% 43200 refresh-ims
> > refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$
> 4320 80% 43200 refresh-ims
> > refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$
> 4320 80% 43200 refresh-ims
> > refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 4320 80% 43200
> > refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 4320 80% 43200
> > refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 4320 80% 43200
> > refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200
> > refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf)
> 259200 100% 259200
> > refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100%
> 43200
> > refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080
> 100% 43200
> > refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100%
> 43200
> > refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf)
> 4320 100% 43200
> > refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf)
> 4320 100% 43200
> > #windows update NEW UPDATE 0.04
> > refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600
> > refresh_pattern
> ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf)
> 4320 100% 43200
> > refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080
> 100% 43200
> > refresh_pattern -i update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 525600 100% 525600
> > refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 525600 100% 525600
> > refresh_pattern -i download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 525600 100% 525600
> > refresh_pattern -i ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
> 525600 100% 525600
> >
> > refresh_pattern
> ([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.*
> 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store
> override-expire override-lastmod
> > refresh_pattern ([^.]+.)?akamai.steamstatic.com/.*.* 43200 100% 43200
> reload-into-ims ignore-reload ignore-no-store override-expire
> override-lastmod
> >
> > refresh_pattern -i ([^.]+.)?adobe.com/.*.(zip|exe) 43200 100% 43200
> reload-into-ims ignore-reload ignore-no-store override-expire
> override-lastmod
> > refresh_pattern -i ([^.]+.)?java.com/.*.(zip|exe) 43200 100% 43200
> reload-into-ims ignore-reload ignore-no-store override-expire
> override-lastmod
> > refresh_pattern -i ([^.]+.)?sun.com/.*.(zip|exe) 43200 100% 43200
> reload-into-ims ignore-reload ignore-no-store override-expire
> override-lastmod
> > refresh_pattern -i ([^.]+.)?oracle.com/.*.(zip|exe|tar.gz) 43200 100%
> 43200 reload-into-ims ignore-reload ignore-no-store override-expire
> override-lastmod
> >
> > refresh_pattern -i appldnld.apple.com 43200 100% 43200 ignore-reload
> ignore-no-store override-expire override-lastmod
> > refresh_pattern -i ([^.]+.)?apple.com/.*.(ipa) 43200 100% 43200
> ignore-reload ignore-no-store override-expire override-lastmod
> >
> > refresh_pattern -i ([^.]+.)?google.com/.*.(exe|crx) 10080 80% 43200
> override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern -i ([^.]+.)?g.static.com/.*.(exe|crx) 10080 80% 43200
> override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> >
> > #FACEBOOK
> > refresh_pattern ^http?://*facebook.com/* 10080 80% 43200
> override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> >
> > #FACEBOOK IMAGES
> > refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 10080
> 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 10080 80%
> 43200 override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern -i (facebook.com).(jpg|png|gif) 10080 80% 43200
> store-stale override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 10080 80% 43200
> override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 10080 80%
> 43200 override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> >
> > #FACEBOOK VIDEO
> > refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80%
> 43200 override-expire override-lastmod ignore-no-cache ignore-reload
> reload-into-ims ignore-private
> > refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200 override-expire
> override-lastmod ignore-no-cache ignore-reload reload-into-ims
> ignore-private
> >
> >
> > range_offset_limit 512 MB windowsupdate
> > maximum_object_size 512 MB windowsupdate
> > range_offset_limit 0
> > quick_abort_min -1 KB
> >
> > cache_mem 64 MB
> > maximum_object_size_in_memory 256 KB
> > memory_replacement_policy heap LFUDA
> > cache_replacement_policy heap LFUDA
> > minimum_object_size 0 KB
> > maximum_object_size 4 MB
> > cache_dir diskd /var/squid/cache 64000 256 256
> > offline_mode off
> > cache_swap_low 90
> > cache_swap_high 95
> > acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
> > cache deny donotcache
> > cache allow all
> > # Add any of your own refresh_pattern entries above these.
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|?) 0 0% 0
> > refresh_pattern . 0 20% 4320
> >
> >
> > #Remote proxies
> >
> >
> > # Setup some default acls
> > # ACLs all, manager, localhost, and to_localhost are predefined.
> > acl allsrc src all
> > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080
> 3128 3129 1025-65535
> > acl sslports port 443 563 8080 5223 2197
> >
> > acl purge method PURGE
> > acl connect method CONNECT
> >
> > # Define protocols used for redirects
> > acl HTTP proto HTTP
> > acl HTTPS proto HTTPS
> >
> > # SslBump Peek and Splice
> > # http://wiki.squid-cache.org/Features/SslPeekAndSplice
> > # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> > # Match against the current step during ssl_bump evaluation [fast]
> > # Never matches and should not be used outside the ssl_bump context.
> > #
> > # At each SslBump step, Squid evaluates ssl_bump directives to find
> > # the next bumping action (e.g., peek or splice). Valid SslBump step
> > # values and the corresponding ssl_bump evaluation moments are:
> > # SslBump1: After getting TCP-level and HTTP CONNECT info.
> > # SslBump2: After getting TLS Client Hello info.
> > # SslBump3: After getting TLS Server Hello info.
> > # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
> > # they can be used there for custom configuration.
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> > acl banned_hosts src '/var/squid/acl/banned_hosts.acl'
> > acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
> > acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
> > http_access allow manager localhost
> >
> > # Allow external cache managers
> > acl ext_manager src 192.168.1.1
> > acl ext_manager src 127.0.0.1
> > http_access allow manager ext_manager
> >
> > http_access deny manager
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !safeports
> > http_access deny CONNECT !sslports
> >
> > # Always allow localhost connections
> > http_access allow localhost
> >
> > quick_abort_min 0 KB
> > quick_abort_max 0 KB
> > quick_abort_pct 95
> > request_body_max_size 0 KB
> > delay_pools 1
> > delay_class 1 2
> > delay_parameters 1 -1/-1 -1/-1
> > delay_initial_bucket_level 100
> > delay_access 1 allow allsrc
> >
> > # Reverse Proxy settings
> >
> > deny_info TCP_RESET allsrc
> >
> > # Package Integration
> > url_rewrite_program /usr/local/bin/squidGuard -c
> /usr/local/etc/squidGuard/squidGuard.conf
> > url_rewrite_bypass off
> > url_rewrite_children 32 startup=8 idle=4 concurrency=0
> >
>
> Squidguard is very outdated. You should upgrade to its successor
> ufdbguard if possible.
>
>
>
> > # Custom options before auth
> > #host_verify_strict on
> >
> > # These hosts are banned
> > http_access deny banned_hosts
> > # Always allow access to whitelist domains
> > http_access allow whitelist
> > # Block access to blacklist domains
> > http_access deny blacklist
> > # List of domains allowed to logging in to Google services
> > request_header_access X-GoogApps-Allowed-Domains deny all
> > request_header_add X-GoogApps-Allowed-Domains consumer_accounts
> > # Set YouTube safesearch restriction
> > acl youtubedst dstdomain -n www.youtube.com m.youtube.com
> youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
> > request_header_access YouTube-Restrict deny all
> > request_header_add YouTube-Restrict none youtubedst
> > acl sglog url_regex -i sgr=ACCESSDENIED
> > http_access deny sglog
> > # Custom SSL/MITM options before auth
> > acl manager proto cache_object
> > acl localhost src 192.168.1.1/32
> > #cachemgr_passwd disable offline_toggle reconfigure shutdown
> > #cachemgr_passwd secret all
> > acl https_login url_regex -i ^https.*(login|Login).*
> > acl no_miss url_regex -i ^.*gateway.facebook.com/ws/realtime?
> > acl no_miss url_regex -i ^.*web-chat-e2ee.facebook.com/ws/chat
> > acl CONNECT method CONNECT
> > acl wuCONNECT dstdomain www.update.microsoft.com
> > acl wuCONNECT dstdomain sls.microsoft.com
> > http_access allow CONNECT wuCONNECT localnet
> > http_access allow CONNECT wuCONNECT localhost
> > http_access allow windowsupdate localnet
> > http_access allow windowsupdate localhost
> > http_access deny manager
> >
> > acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'
> > acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> > sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
> > sslproxy_cert_error deny all
> >
> > acl splice_only src 192.168.1.8 #Tasha iPhone
> > acl splice_only src 192.168.1.10 #Jon iPhone
> > acl splice_only src 192.168.1.11 #Amazon Fire
> > acl splice_only src 192.168.1.15 #Tasha HP
> > acl splice_only src 192.168.1.16 #iPad
> >
> > acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.nobump'
> >
> > acl markBumped annotate_client bumped=true
> > acl bump_only src 192.168.1.3 #webtv
> > acl bump_only src 192.168.1.4 #toshiba
> > acl bump_only src 192.168.1.5 #imac
> > acl bump_only src 192.168.1.9 #macbook
> > acl bump_only src 192.168.1.13 #dell
> >
>
> You have a previous "cache allow all". This below rule does nothing.
>
> > cache deny https_login
> >
> > ssl_bump peek step1
> > miss_access deny no_miss
> > ssl_bump splice https_login
> > ssl_bump splice splice_only
> > ssl_bump splice NoSSLIntercept
> > ssl_bump bump bump_only markBumped
> > ssl_bump stare all
> >
> > acl markedBumped note bumped true
> > url_rewrite_access deny markedBumped
> >
> > http_access deny all
> > read_ahead_gap 32 KB
> > negative_ttl 1 second
> > connect_timeout 30 seconds
> > request_timeout 60 seconds
> > half_closed_clients off
> > shutdown_lifetime 10 seconds
> > negative_dns_ttl 1 seconds
> > ignore_unknown_nameservers on
> > pipeline_prefetch 100
> >
> > #acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'
> > #ssl_bump bump SSLIntercept
> >
>
> You already have an earlier "http_access deny all". The below lines do
> nothing.
>
> > # Setup allowed ACLs
> > # Allow local network(s) on interface(s)
> > http_access allow localnet
> > # Default block all to be sure
> > http_access deny allsrc
> >
>
>
> HTH
> Amos
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 116, Issue 7
> *******************************************
>
> <http://www.pbandt.bank>* CONFIDENTIALITY NOTICE: The information
> contained in and attached to this email is intended only for the
> confidential use of the person or entity to which the email is addressed.
> This email and any attachments may contain privileged and confidential
> information. If you are not the intended recipient, you are notified that
> you received this email in error and that any reading, retention, use or
> distribution of this email and attachments is strictly prohibited. If you
> received this email in error, you are requested to immediately notify us by
> calling 888-728-3550 or by return email and immediately and permanently
> delete the email and any attachments. Thank you. *
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
--
Francesco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240410/c1c898fb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0.jpg
Type: image/jpeg
Size: 6398 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240410/c1c898fb/attachment-0001.jpg>
More information about the squid-users
mailing list