<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yiv9677157595"><div id="yui_3_16_0_ym19_1_1492447834855_5220"><div style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;" id="yui_3_16_0_ym19_1_1492447834855_5219"><div id="yiv9677157595"><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2187"><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2186" style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;"><div id="yiv9677157595"><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_10844"><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_10843" style="color:#000;background-color:#fff;font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;"><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3247">Hi Alex, <br clear="none"></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5078"><br clear="none"></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5076"><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3250">Thank you. Yes, there are http_access rules<br clear="none"></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3252"><br clear="none"></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3251"><div id="yui_3_16_0_ym19_1_1492447834855_5523">I have included the entire configuration file (Sorry, I'm new to Squid)</div><div id="yui_3_16_0_ym19_1_1492447834855_5521">The goal is to splice only whitelist (github.com) and terminate all other domains.<br></div></div></div><div dir="ltr" id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5129"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5270" clear="none">http_port 3128<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5271" clear="none">http_port 3129 intercept<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5272" clear="none">https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5273" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5274" clear="none">visible_hostname squid.internal<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5275" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5277" clear="none">acl localnet src 172.16.0.0/16<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5278" clear="none"><div dir="ltr" id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3171">acl http_whitelist dstdomain .github.com</div>acl whitelist ssl::server_name .github.com<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5280" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5281" clear="none">acl SSL_ports port 443<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5282" clear="none">acl Safe_ports port 80          # http<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5283" clear="none">acl Safe_ports port 21          # ftp<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5284" clear="none">acl Safe_ports port 443         # https<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5285" clear="none">acl Safe_ports port 70          # gopher<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5286" clear="none">acl Safe_ports port 210         # wais<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5287" clear="none">acl Safe_ports port 280         # http-mgmt<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5288" clear="none">acl Safe_ports port 488         # gss-http<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5289" clear="none">acl Safe_ports port 591         # filemaker<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5290" clear="none">acl Safe_ports port 777         # multiling http<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5291" clear="none">acl Safe_ports port 1025-65535  # unregistered ports<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5292" clear="none">acl step1 at_step SslBump1<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5293" clear="none">acl step2 at_step SslBump2<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5294" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5295" clear="none">acl CONNECT method CONNECT<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5296" clear="none">http_access deny !Safe_ports<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5297" clear="none">http_access deny CONNECT !SSL_ports<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5298" clear="none">http_access allow localhost manager<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5299" clear="none">http_access deny manager<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5300" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5302" clear="none"><div dir="ltr" id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_3268">http_access allow http_whitelist localnet</div>http_access deny all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5304" clear="none"><br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5305" clear="none">acl step1 at_step SslBump1<br id="yui_3_16_0_ym19_1_1492447834855_5431" clear="none">ssl_bump peek step1<br id="yui_3_16_0_ym19_1_1492447834855_5432" clear="none">ssl_bump splice whitelist<br id="yui_3_16_0_ym19_1_1492447834855_5433" clear="none"><div dir="ltr" id="yui_3_16_0_ym19_1_1492447834855_5439">ssl_bump bump all</div><div id="yui_3_16_0_ym19_1_1492447834855_5452"><br></div><div id="yui_3_16_0_ym19_1_1492447834855_5485">via off</div>forwarded_for off<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5311" clear="none">request_header_access Allow allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5312" clear="none">request_header_access Authorization allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5313" clear="none">request_header_access WWW-Authenticate allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5314" clear="none">request_header_access Proxy-Authorization allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5315" clear="none">request_header_access Proxy-Authenticate allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5316" clear="none">request_header_access Cache-Control allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5317" clear="none">request_header_access Content-Encoding allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5318" clear="none">request_header_access Content-Length allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5319" clear="none">request_header_access Content-Type allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5320" clear="none">request_header_access Date allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5321" clear="none">request_header_access Expires allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5322" clear="none">request_header_access Host allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5323" clear="none">request_header_access If-Modified-Since allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5324" clear="none">request_header_access Last-Modified allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5325" clear="none">request_header_access Location allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5326" clear="none">request_header_access Pragma allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5327" clear="none">request_header_access Accept allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5328" clear="none">request_header_access Accept-Charset allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5329" clear="none">request_header_access Accept-Encoding allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5330" clear="none">request_header_access Accept-Language allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5331" clear="none">request_header_access Content-Language allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5332" clear="none">request_header_access Mime-Version allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5333" clear="none">request_header_access Retry-After allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5334" clear="none">request_header_access Title allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5335" clear="none">request_header_access Connection allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5336" clear="none">request_header_access Proxy-Connection allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5337" clear="none">request_header_access User-Agent allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5338" clear="none">request_header_access Cookie allow all<br id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5339" clear="none">request_header_access All deny all<br clear="none"></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5077"><span></span></div><div id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5075"> </div><div class="yiv9677157595signature" id="yiv9677157595yui_3_16_0_ym19_1_1492444613556_5074"><span style="font-size:small;" id="yui_3_16_0_ym19_1_1492447834855_5490">-Shan</span></div> <div class="yiv9677157595qtdSeparateBR" id="yui_3_16_0_ym19_1_1492447834855_5488"><br clear="none"><br clear="none"></div><div class="yiv9677157595yqt5679300248" id="yiv9677157595yqt57579"></div></div></div></div><div class="yiv9677157595yqt1290664056" id="yiv9677157595yqt86850"><div class="yiv9677157595yqt4907182381" id="yiv9677157595yqt35990"><div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2185"> <div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2184" style="font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px;"> <div id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2183" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yui_3_16_0_ym19_1_1492447834855_5487"><font id="yui_3_16_0_ym19_1_1492447834855_5486" size="2" face="Arial"> On Monday, April 17, 2017 10:10 PM, Alex Rousskov <rousskov@measurement-factory.com> wrote:<br clear="none"></font></div>  <br clear="none"><br clear="none"> <div class="yiv9677157595y_msg_container" id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2182"><div dir="ltr" id="yiv9677157595yui_3_16_0_ym19_1_1492447834855_2181">On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:<div class="yiv9677157595yqt9720908102" id="yiv9677157595yqtfd19898"><br clear="none"><br clear="none">> I have a blanket block setup with Squid as Transparent proxy where<br clear="none">> access it allowed only to github.com. But, squid generates certificates<br clear="none">> for IP address instead of domain name and SSL validation fails.<br clear="none"><br clear="none">> Squid version: |3.5.25-20170408-r14154|<br clear="none">> When I use curl<br clear="none">> |curl: (51) SSL: certificate subject name (192.30.255.112) does not<br clear="none">> match target host name 'github.com|<br clear="none">> <br clear="none">> How to configure properly to splice a whitelist and block all other<br clear="none">> domains. Below is my current configuration<br clear="none">> <br clear="none">> http_port 3128<br clear="none">> http_port 3129 intercept<br clear="none">> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB <br clear="none">> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem<br clear="none">> <br clear="none">> acl whitelist ssl::server_name .github.com<br clear="none">> acl step1 at_step SslBump1<br clear="none">> <br clear="none">> ssl_bump peek step1<br clear="none">> ssl_bump splice whitelist<br clear="none">> ssl_bump bump all<br clear="none">> <br clear="none">> Please help me fixing the issue.</div><br clear="none"><br clear="none">Any http_access rules? Is it possible that Squid denies the fake CONNECT<br clear="none">request during step1 (before looking up SNI during step2)?<br clear="none"><br clear="none">What does access.log say?<br clear="none"><br clear="none">Alex.<div class="yiv9677157595yqt9720908102" id="yiv9677157595yqtfd46257"><br clear="none"><br clear="none"></div></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></div></div></div></div></div></div></div></div></body></html>