<div dir="ltr">Hi Panda,<div><br></div><div>Thanks for the suggestion. </div><div><div><br></div><div>I'm assuming from Panda and Amos's responses that what I'm trying to achieve should actually be possible?</div></div><div><br></div><div>I tried adding what you suggested but unfortunately it didn't work.</div><div><br></div><div>New Config (based on Panda's suggestion):<br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a><span class=""> </span># RFC1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a><span class=""> </span># RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a><span class=""> </span># RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>acl localnet src <a href="http://132.234.0.0/16">132.234.0.0/16</a> # ANDREWN: Griffith University network<br>acl SSL_ports port 443<br>acl Safe_ports port 80<span class=""> </span><span class=""> </span># http<br>acl Safe_ports port 21<span class=""> </span><span class=""> </span># ftp<br>acl Safe_ports port 443<span class=""> </span><span class=""> </span># https<br>acl Safe_ports port 70<span class=""> </span><span class=""> </span># gopher<br>acl Safe_ports port 210<span class=""> </span><span class=""> </span># wais<br>acl Safe_ports port 1025-65535<span class=""> </span># unregistered ports<br>acl Safe_ports port 280<span class=""> </span><span class=""> </span># http-mgmt<br>acl Safe_ports port 488<span class=""> </span><span class=""> </span># gss-http<br>acl Safe_ports port 591<span class=""> </span><span class=""> </span># filemaker<br>acl Safe_ports port 777<span class=""> </span><span class=""> </span># multiling http<br>acl CONNECT method CONNECT<br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news">reddit.com/r/news</a><br>http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB</div><div><br></div><div>Browsing to <a href="https://www.reddit.com/r/news">https://www.reddit.com/r/news</a> still gives the following in the access.log:<br>1455229976.342 0 132.234.20.39 TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443">www.reddit.com:443</a> - HIER_NONE/- -<br>1455229976.423 0 132.234.20.39 TAG_NONE/403 4011 GET <a href="https://www.reddit.com/r/news">https://www.reddit.com/r/news</a> - HIER_NONE/- text/html<br>1455229976.537 0 132.234.20.39 TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443">www.reddit.com:443</a> - HIER_NONE/- -</div><div><br>Will now try Amos's suggestions of looking further into the ssl options and trying 4.0.5 release and email the list to say how it goes.</div><div><br></div><div>thanks.</div><div>Victor</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 11, 2016 at 11:46 PM, Panda Admin <span dir="ltr"><<a href="mailto:pandanonomous@gmail.com" target="_blank">pandanonomous@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Try adding <div>acl step1 at_step SslBump1<div><div>ssl_bump peek step1 bump_sites</div></div></div><div><br></div><div>This worked for me. Just a suggestion:)</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 11, 2016 at 3:59 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 11/02/2016 1:05 p.m., Victor Hugo wrote:<br>
> Hi,<br>
><br>
> I was wondering if it is possible to filter HTTPS URLs using squid (for<br>
> example to blacklist <a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a> but allow <a href="https://www.reddit.com/r/news/" rel="noreferrer" target="_blank">https://www.reddit.com/r/news/</a>)?<br>
><br>
> I thought this may be possible using ssl_bump and url_regex. I have been<br>
> trying this using squid 3.5.13 but with no success.<br>
><br>
> Here is the squid configuration that I have tried but doesn't seem to work<br>
> (it works for http sites though):<br>
><br>
<br>
</span><snip><br>
<span>><br>
> acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news" rel="noreferrer" target="_blank">reddit.com/r/news</a><br>
> http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem<br>
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
> acl bump_sites ssl::server_name .<a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a><br>
> ssl_bump bump bump_sites<br>
> ssl_bump splice !bump_sites<br>
> http_access allow whitelist-regex<br>
> http_access allow localhost<br>
> http_access deny all<br>
<br>
</span><span>> Relevant access.log output (IP addresses redacted to x.x.x.x):<br>
> 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443" rel="noreferrer" target="_blank">www.reddit.com:443</a> -<br>
> HIER_NONE/- -<br>
<br>
</span>So this is the bump happening, as you wanted.<br>
<span><br>
> 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET<br>
> <a href="https://www.reddit.com/r/news" rel="noreferrer" target="_blank">https://www.reddit.com/r/news</a> - HIER_NONE/- text/html<br>
<br>
</span>And something else has 403 (Forbidden) the request. Your ACL and<br>
http_access config looks fine. So I dont think its that.<br>
<br>
<br>
The first oddity is that your ssl_bump rules are doing bump without<br>
having fetched the clientHello details yet. So this is a "client-first"<br>
bumping situation in which Squid first negotiates TLS / HTTPS with the<br>
client, then completely separately negotiates TLS/HTTPS with the server.<br>
- any errors in the server TLS might result in something like this 403<br>
(though it should be a 5xx status, it may not always be).<br>
- the sslproxy_* settings are entirely what controls the server<br>
connection TLS.<br>
<br>
<br>
Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT<br>
actions. This could be a logging bug, or a sign of something going wrong<br>
in the bumping stage that alters the CONNECT logging as well.<br>
<br>
<br>
Are you able to experiment with using the Squid-4.0.5 release? there are<br>
some bumping bug fixes that are only in that release series.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>