<div dir="ltr">Wow that worked!<div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 6, 2016 at 5:00 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 6/05/2016 5:51 p.m., Victor Hugo wrote:<br>
> Here's a strange one for you though, if I change:<br>
> acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news" rel="noreferrer" target="_blank">reddit.com/r/news</a><br>
><br>
> to:<br>
> acl whitelist-regex url_regex -i reddit\.com\/r\/news www\.reddit\.com\:443<br>
><br>
> it works every 2nd time but the match is too greedy and allows<br>
> <a href="http://www.reddit.com/r/anything" rel="noreferrer" target="_blank">www.reddit.com/r/anything</a> every 2nd time.<br>
><br>
<br>
</span>That first regex pattern requires a path "/r/news" to exist. CONNECT<br>
messages do not have paths.<br>
<br>
That second pattern you are now adding matches (and thus allows) the<br>
CONNECT message authority-URI built from the traffic SNI details.<br>
<br>
They are two different regex patterns so if *either one* matches the ACL<br>
test will be a match.<br>
<br>
<br>
Try adding this line *after* the default "deny CONNECT !SSL_ports" line:<br>
acl reddit dstdomain .<a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a><br>
http_access allow CONNECT SSL_ports reddit<br>
<br>
That should allow the CONNECT's stuff to happen and your ssl_bump and<br>
http_access rules then handle the HTTPS.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
Amos<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
> Victor<br>
><br>
> it<br>
><br>
> On Thu, Feb 11, 2016 at 10:05 AM, Victor Hugo <<a href="mailto:fourtrials@gmail.com">fourtrials@gmail.com</a>> wrote:<br>
><br>
>> Hi,<br>
>><br>
>> I was wondering if it is possible to filter HTTPS URLs using squid (for<br>
>> example to blacklist <a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a> but allow <a href="https://www.reddit.com/r/news/" rel="noreferrer" target="_blank">https://www.reddit.com/r/news/</a>)?<br>
>><br>
>> I thought this may be possible using ssl_bump and url_regex. I have been<br>
>> trying this using squid 3.5.13 but with no success.<br>
>><br>
>> Here is the squid configuration that I have tried but doesn't seem to work<br>
>> (it works for http sites though):<br>
>><br>
>> acl localnet src <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> # RFC1918 possible internal network<br>
>> acl localnet src <a href="http://172.16.0.0/12" rel="noreferrer" target="_blank">172.16.0.0/12</a> # RFC1918 possible internal network<br>
>> acl localnet src <a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">192.168.0.0/16</a> # RFC1918 possible internal network<br>
>> acl localnet src fc00::/7 # RFC 4193 local private network range<br>
>> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)<br>
>> machines<br>
>><br>
>> acl SSL_ports port 443<br>
>> acl Safe_ports port 80 # http<br>
>> acl Safe_ports port 21 # ftp<br>
>> acl Safe_ports port 443 # https<br>
>> acl Safe_ports port 70 # gopher<br>
>> acl Safe_ports port 210 # wais<br>
>> acl Safe_ports port 1025-65535 # unregistered ports<br>
>> acl Safe_ports port 280 # http-mgmt<br>
>> acl Safe_ports port 488 # gss-http<br>
>> acl Safe_ports port 591 # filemaker<br>
>> acl Safe_ports port 777 # multiling http<br>
>> acl CONNECT method CONNECT<br>
>><br>
>> http_access deny !Safe_ports<br>
>> http_access deny CONNECT !SSL_ports<br>
>> http_access allow localhost manager<br>
>> http_access deny manager<br>
>><br>
>> acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news" rel="noreferrer" target="_blank">reddit.com/r/news</a><br>
>> http_port 3129 ssl-bump<br>
>> cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem<br>
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
>> acl bump_sites ssl::server_name .<a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a><br>
>> ssl_bump bump bump_sites<br>
>> ssl_bump splice !bump_sites<br>
>> http_access allow whitelist-regex<br>
>> http_access allow localhost<br>
>> http_access deny all<br>
>> coredump_dir /opt/squid-3.5.13/var/spool/squid3<br>
>> refresh_pattern ^ftp: 1440 20% 10080<br>
>> refresh_pattern ^gopher: 1440 0% 1440<br>
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
>> refresh_pattern . 0 20% 4320<br>
>> pinger_enable off<br>
>> Relevant access.log output (IP addresses redacted to x.x.x.x):<br>
>> 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443" rel="noreferrer" target="_blank">www.reddit.com:443</a><br>
>> - HIER_NONE/- -<br>
>> 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET<br>
>> <a href="https://www.reddit.com/r/news" rel="noreferrer" target="_blank">https://www.reddit.com/r/news</a> - HIER_NONE/- text/html<br>
>> 1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443" rel="noreferrer" target="_blank">www.reddit.com:443</a><br>
>> - HIER_NONE/- -<br>
>><br>
>> I don't want to whitelist the dstdomain .<a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a><br>
>> (i.e whitelist-ssldomain dstdomain .<a href="http://reddit.com" rel="noreferrer" target="_blank">reddit.com</a>) as that would allow<br>
>> access to all of the other subreddits.<br>
>><br>
>> Appreciate any help or suggestions you have. Thanks.<br>
>><br>
>> Victor<br>
>><br>
><br>
<br>
</div></div></blockquote></div><br></div>