<html><head></head><body>Dear Mike, <br><br>Please checkout the following and let us know if you need further help. <br><br><a href="http://www.squid-cache.org/Doc/config/sslproxy_cert_error/">http://www.squid-cache.org/Doc/config/sslproxy_cert_error/</a><br><br>Best regards,<br><br>Flashdown<br><br><div class="gmail_quote">Am 11. Dezember 2018 16:41:56 MEZ schrieb Mike Quentel <mike.quentel.rbc@gmail.com>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Hi, I have been unsuccessfully trying to get Squid-4.1-5 in AWS<br>(Amazon 1 Linux) to allow transparent proxy of certain domains, as<br>well as IPs associated with those domains, whilst rejecting everything<br>else.<br><br>I have been referencing documentation at<br><a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br><br>Version of Squid: 4.1-5 for Amazon 1 Linux available at<br><a href="http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/">http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/</a> (many thanks to<br>@elico for these packages) specifically, the following:<br><br>1) <a href="http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-4.1-5.amzn1.x86_64.rpm">http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-4.1-5.amzn1.x86_64.rpm</a><br>2) <a href="http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-helpers-4.1-5.amzn1.x86_64.rpm">http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-helpers-4.1-5.amzn1.x86_64.rpm</a><br><br>Example of tests that I am running:<br><br>1) curl -kv <a href="https://service.us2.sumologic.com">https://service.us2.sumologic.com</a> (EXPECTED: successfully<br>accessed; OBSERVED: successfully accessed)<br>2) curl -kv <a href="https://54.149.155.70">https://54.149.155.70</a> (EXPECTED: successfully accessed<br>because it resolves to service.us2.sumologic.com; OBSERVED:<br>"Certificate does not match domainname"  [No Error] (TLS code:<br>SQUID_X509_V_ERR_DOMAIN_MISMATCH))<br>3) curl -kv <a href="https://www.google.com">https://www.google.com</a> (EXPECTED: failed to access;<br>OBSERVED: failed to access)<br>4) curl -kv <a href="https://172.217.13.164">https://172.217.13.164</a> (EXPECTED: failed to access;<br>OBSERVED: "Certificate does not match domainname"  [No Error] (TLS<br>code: SQUID_X509_V_ERR_DOMAIN_MISMATCH))<br><br>Below is the latest version of the squid.conf being used. Apologies<br>for any obvious errors--new to Squid here. I have been grappling with<br>this for weeks, with many iterations of squid.conf so any advice is<br>greatly appreciated; many thanks in advance.<hr>visible_hostname squid<br><br>host_verify_strict off<br><br># Handling HTTP requests<br>http_port 3128<br>http_port 3129 intercept<br><br>sslcrtd_children 10<br><br>acl CONNECT method CONNECT<br><br># AWS services domain<br>acl allowed_http_sites dstdomain .amazonaws.com<br># docker hub registry<br>acl allowed_http_sites dstdomain .docker.io<br>acl allowed_http_sites dstdomain .docker.com<br>acl allowed_http_sites dstdomain www.congiu.net<br><br># Handling HTTPS requests<br># https_port 3130 intercept ssl-bump generate-host-certificates=on<br>dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem<br>https_port 3130 intercept ssl-bump dynamic_cert_mem_cache_size=100MB<br>cert=/etc/squid/squid.pem<br>acl SSL_port port 443<br><br># AWS services domain<br>acl allowed_https_sites ssl::server_name .amazonaws.com<br># docker hub registry<br>acl allowed_https_sites ssl::server_name .docker.io<br>acl allowed_https_sites ssl::server_name .docker.com<br><br># project specific<br>acl allowed_https_sites ssl::server_name www.congiu.net<br>acl allowed_https_sites ssl::server_name mirrors.fedoraproject.org<br>acl allowed_https_sites ssl::server_name mirror.csclub.uwaterloo.ca<br><br># nslookup resolved IPs for collectors.sumologic.com<br># workaround solution to support sumologic collector<br>acl allowed_https_sites ssl::server_name .sumologic.com<br># THE FOLLOWING TWO LINES DO NOT SEEM TO WORK AS EXPECTED<br># acl allowed_https_sites ssl::server_name --server-provided<br>service.sumologic.com sslflags=DONT_VERIFY_PEER<br># acl allowed_https_sites ssl::server_name --server-provided<br>service.us2.sumologic.com sslflags=DONT_VERIFY_PEER<br><br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br><br>ssl_bump peek step1 all<br>ssl_bump peek step2 allowed_https_sites<br># <a href="http://lists.squid-cache.org/pipermail/squid-users/2018-September/019150.html">http://lists.squid-cache.org/pipermail/squid-users/2018-September/019150.html</a><br>ssl_bump bump<br>ssl_bump splice step3 allowed_https_sites<br>ssl_bump bump<br>ssl_bump terminate step2 all<br><br>http_access allow CONNECT<br><br># http_access allow SSL_port<br><br>http_access deny CONNECT !allowed_https_sites<br>http_access deny CONNECT !allowed_http_sites<br>http_access allow allowed_https_sites<br>http_access allow allowed_http_sites<br>http_access deny all<br><br>cache deny all<br><br>debug_options "ALL,9"<hr>squid-users mailing list<br>squid-users@lists.squid-cache.org<br><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br></pre></blockquote></div><br>-- <br>Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.</body></html>