<div dir="ltr"><span style="font-size:12.8px">Hello,</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I attempting to terminate https traffic based on ACLs using ssl_bumping WITHOUT de-crypting the traffic in intercept/transparent mode.  Has anyone got this to work before? I have copied my configuration and what my iptables nat rules look like. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> I am using squid 3.5.13 with the following compile options:</div><div style="font-size:12.8px"><div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px"><span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">Squid</span> Cache: Version 3.5.12</div><div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">Service Name: <span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span></div><div style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px">configure options:  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/<span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span>3' '--datadir=/share/<span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span>3' '--sysconfdir=/etc/<span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span>3' '--with-default-user=proxy' '--with-logdir=/var/log/<span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span>3' '--with-pidfile=/var/run/<span name="searchHitInReadingPane" style="background-color:rgb(255,238,148)">squid</span>3.pid' '--with-openssl' '-enable-ssl-crtd' '--enable-icap-client' '--with-large-files' --enable-ltdl-convenience</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">squid.conf:</div><div style="font-size:12.8px"><div>acl social dstdomain .<a href="http://google.com/" target="_blank">google.com</a> .<a href="http://facebook.com/" target="_blank">facebook.com</a> .<a href="http://reddit.com/" target="_blank">reddit.com</a></div><div>acl step1 at_step SslBump1</div><div>acl step2 at_step SslBump2</div><div>ssl_bump stare step2 all</div><div>ssl_bump terminate social</div><div>acl localnet src <a href="http://192.168.50.0/24" target="_blank">192.168.50.0/24</a></div><div>acl SSL_ports port 443</div><div>acl Safe_ports port 80<span style="white-space:pre-wrap">              </span># http</div><div>acl Safe_ports port 21<span style="white-space:pre-wrap">             </span># ftp</div><div>acl Safe_ports port 443<span style="white-space:pre-wrap">             </span># https</div><div>acl Safe_ports port 70<span style="white-space:pre-wrap">            </span># gopher</div><div>acl Safe_ports port 210<span style="white-space:pre-wrap">          </span># wais</div><div>acl Safe_ports port 1025-65535<span style="white-space:pre-wrap">     </span># unregistered ports</div><div>acl Safe_ports port 280<span style="white-space:pre-wrap">              </span># http-mgmt</div><div>acl Safe_ports port 488<span style="white-space:pre-wrap">               </span># gss-http</div><div>acl Safe_ports port 591<span style="white-space:pre-wrap">                </span># filemaker</div><div>acl Safe_ports port 777<span style="white-space:pre-wrap">               </span># multiling http</div><div>acl CONNECT method CONNECT</div><div>http_access allow manager localhost</div><div>http_access deny manager</div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports</div><div>http_access allow localnet</div><div>http_access allow localhost</div><div>http_access allow all</div><div>http_port 3128 transparent</div><div>https_port 3129 intercept ssl-bump cert=/etc/squid3/ssl_cert/squidSSL.pem</div><div>cache_dir ufs /cache/squid3/spool 100 16 256</div><div>access_log syslog:<a href="http://local5.info/" target="_blank">local5.info</a> squid</div><div>coredump_dir /var/spool/squid3</div><div>url_rewrite_program /usr/bin/squidGuard -c /cache/config/daemons/squidguard/squidGuard.conf</div><div>url_rewrite_children 15</div><div>url_rewrite_access allow all</div><div>refresh_pattern ^ftp:<span style="white-space:pre-wrap">             </span>1440<span style="white-space:pre-wrap">    </span>20%<span style="white-space:pre-wrap">     </span>10080</div><div>refresh_pattern ^gopher:<span style="white-space:pre-wrap">    </span>1440<span style="white-space:pre-wrap">    </span>0%<span style="white-space:pre-wrap">      </span>1440</div><div>refresh_pattern -i (/cgi-bin/|\?) 0<span style="white-space:pre-wrap">  </span>0%<span style="white-space:pre-wrap">      </span>0</div><div>refresh_pattern .<span style="white-space:pre-wrap">               </span>0<span style="white-space:pre-wrap">       </span>20%<span style="white-space:pre-wrap">     </span>4320</div><div>icap_enable on</div><div>icap_send_client_ip on</div><div>icap_send_client_username on</div><div>icap_client_username_encode off</div><div>icap_client_username_header X-Authenticated-User</div><div>icap_preview_enable on</div><div>icap_preview_size 1024</div><div>icap_service service_req reqmod_precache bypass=1 icap://<a href="http://127.0.0.1:1344/squidclamav" target="_blank">127.0.0.1:1344/squidclamav</a></div><div>adaptation_access service_req allow all</div><div>icap_service service_resp respmod_precache bypass=1 icap://<a href="http://127.0.0.1:1344/squidclamav" target="_blank">127.0.0.1:1344/squidclamav</a></div><div>adaptation_access service_resp allow all</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">iptables -L -v -t nat(only relevant rules):</div><div style="font-size:12.8px"><div>Chain PREROUTING (policy ACCEPT 1083 packets, 233K bytes)</div><div> pkts bytes target     prot opt in     out     source               destination             </div><div>  157  9420 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:https to:<a href="http://192.168.11.1:3129/" target="_blank">192.168.11.1:3129</a></div><div><br></div><div><br></div><div>Chain PREROUTING-daemon-tcp (1 references)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div>  443 26580 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:http /* 7:PFD::CF-3128 */ to:<a href="http://192.168.11.1:3128/" target="_blank">192.168.11.1:3128</a></div><div>    0     0 DNAT       tcp  --  eth2   any     anywhere             anywhere             tcp dpt:http /* 8:PFD::CF-3128 */ to:<a href="http://172.17.0.1:3128/" target="_blank">172.17.0.1:3128</a></div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Right now I can't get it to terminate ANY https traffic. All it does is allow it through.  </div><div style="font-size:12.8px">Any and all help would be greatly appreciated!</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">~ Extremely Confused Squid User ~</div></div>