<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div><br><br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr">Hi Everyone, </div><div dir="ltr"><br></div><div>Have configured squid proxy with https whitelisted sites using ssl bump, peek and splice feature </div><div>in transparent mode.</div><div dir="ltr">Although non whitelisted site are getting blocked, but it is not graceful, with 'ssl connect error' and no 403 message(using curl). For http, it is working fine with Access denied with 403 http error code.</div><div dir="ltr"><br></div><div dir="ltr">Using ssl bump 'terminate all' seem to abruptly stop the connection, this might cause issues in our application.</div><div dir="ltr"><br></div><div>Is there a way to terminate the connection with access denied message gracefully(with 403 error code) just like it does for Http.</div><div dir="ltr"><br></div><div><b>Non Whitelisted site error:</b></div><div dir="ltr"><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">curl -I <a href="https://nba.com" target="_blank">https://nba.com</a></span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(204,0,0)"><b>curl: (35) SSL connect error</b></span></p><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures"><div><span style="font-variant-ligatures:no-common-ligatures"><b>http non whitelisted site:</b></span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures"><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">c5278791@ban-squid-client22 ~]$ curl -I <a href="http://nba.com" target="_blank">http://nba.com</a></span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">HTTP/1.1 403 Forbidden</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Server: squid/3.5.28</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Mime-Version: 1.0</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Date: Fri, 25 Jan 2019 17:01:38 GMT</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Content-Type: text/html;charset=utf-8</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Content-Length: 3574</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">X-Squid-Error: ERR_ACCESS_DENIED 0</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Vary: Accept-Language</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Content-Language: en</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">X-Cache: MISS from squid</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Via: 1.1 squid (squid/3.5.28)</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Connection: keep-alive</span></p></span></div></span></div><div><br></div><div><b>https whitelisted site works fine:</b></div><div><br></div><div><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">curl -I <a href="https://cnn.com" target="_blank">https://cnn.com</a></span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">HTTP/1.1 301 Moved Permanently</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Server: Varnish</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Retry-After: 0</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Content-Length: 0</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Cache-Control: public, max-age=600</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Location: <a href="https://www.cnn.com/" target="_blank">https://www.cnn.com/</a></span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Accept-Ranges: bytes</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Date: Fri, 25 Jan 2019 17:00:08 GMT</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Via: 1.1 varnish</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Connection: close</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Set-Cookie: countryCode=US; Domain=.<a href="http://cnn.com" target="_blank">cnn.com</a>; Path=/</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Set-Cookie: geoData=mountain view|CA|94043|US|NA; Domain=.<a href="http://cnn.com" target="_blank">cnn.com</a>; Path=/</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">X-Served-By: cache-sea1038-SEA</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">X-Cache: HIT</span></p>
<p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">X-Cache-Hits: 0</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><br></div><div><span style="font-variant-ligatures:no-common-ligatures"><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div></span></div><div><br></div><div><b>Squid.conf Details:</b></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">visible_hostname squid<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"> </span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">cache deny all<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">#Handling HTTP requests<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">http_port 3128 intercept<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl allowed_http_sites dstdomain .<a href="http://amazonaws.com" target="_blank">amazonaws.com</a> .<a href="http://bbc.com" target="_blank">bbc.com</a><span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">#acl allowed_http_sites dstdomain [you can add other domains to permit]<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">http_access allow allowed_http_sites<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"> </span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">#Handling HTTPS requests<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl SSL_port port 443<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">http_access allow SSL_port<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl allowed_https_sites ssl::server_name .<a href="http://amazonaws.com" target="_blank">amazonaws.com</a> .<a href="http://cnn.com" target="_blank">cnn.com</a> .<a href="http://yahoo.com" target="_blank">yahoo.com</a> .<a href="http://bbc.com" target="_blank">bbc.com</a><span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">#acl allowed_https_sites ssl::server_name [you can add other domains to permit]<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl step1 at_step SslBump1<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl step2 at_step SslBump2<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">acl step3 at_step SslBump3<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">ssl_bump peek step1 all<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">ssl_bump splice allowed_https_sites<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">#ssl_bump peek step2 all<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">ssl_bump terminate all<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"> </span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo">http_access deny all<span></span></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"><br></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"><b>Squid version:</b></span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">squid -v</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Squid Cache: Version <b>3.5.28</b></span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Service Name: squid</span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:13px"><span style="font-variant-ligatures:no-common-ligatures"></span><br></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see <a href="https://www.openssl.org/source/license.html" target="_blank">https://www.openssl.org/source/license.html</a></span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:13px"><span style="font-variant-ligatures:no-common-ligatures"></span><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
</p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenien</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"><br></span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)"><span style="font-size:11pt;font-family:Menlo"><b>OS version:</b></span></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">cat /etc/redhat-release </span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:medium;font-family:Calibri,sans-serif;color:rgb(0,0,0)">
</p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">CentOS release 6.10 (Final)</span></p><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><p class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000" face="Menlo"><span style="font-size:14.666666984558105px">Thanks,</span></font></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt"><font color="#000000" face="Menlo"><span style="font-size:14.666666984558105px">-Bandeep</span></font></p></div></div></div></div></div></div></div></div></div>
</div></div>