<html><head></head><body><div class="ydpf786e4c0yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div>I use this configuration to solve my problem.</div><div>Whit this configuration at first step I use bump action for sites that i want to block and show ACCESS_DENIED page then splice all other requests!!</div><div>My problem in this config is when my clients want to see block pages they first see SSL warning in their browser then after click on exception they will see ACCESS_DENIED page!!<br></div><div>..........</div><div><span><pre class="ydp63f918b8code-java">acl blk ssl::server_name <span class="ydp63f918b8code-quote">"/<span class="ydp63f918b8code-keyword">var</span>/blkfiles/url.txt"</span>
<span><pre class="ydp20e024b7code-java">http_access deny blk</pre></span>acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump blk
ssl_bump splice all</pre></span><br></div><div><br></div>
</div><div id="yahoo_quoted_0832379914" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Wednesday, February 13, 2019, 9:55:06 AM GMT+3:30, squid-users-request@lists.squid-cache.org <squid-users-request@lists.squid-cache.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">Send squid-users mailing list submissions to<br></div><div dir="ltr"> <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr"><br></div><div dir="ltr">To subscribe or unsubscribe via the World Wide Web, visit<br></div><div dir="ltr"> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></div><div dir="ltr">or, via email, send a message with subject or body 'help' to<br></div><div dir="ltr"> <a ymailto="mailto:squid-users-request@lists.squid-cache.org" href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.squid-cache.org</a><br></div><div dir="ltr"><br></div><div dir="ltr">You can reach the person managing the list at<br></div><div dir="ltr"> <a ymailto="mailto:squid-users-owner@lists.squid-cache.org" href="mailto:squid-users-owner@lists.squid-cache.org">squid-users-owner@lists.squid-cache.org</a><br></div><div dir="ltr"><br></div><div dir="ltr">When replying, please edit your Subject line so it is more specific<br></div><div dir="ltr">than "Re: Contents of squid-users digest..."<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">Today's Topics:<br></div><div dir="ltr"><br></div><div dir="ltr"> 1. ssl-bump does not redirect to block page (<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>)<br></div><div dir="ltr"> 2. Re: ssl-bump does not redirect to block page (Alex Rousskov)<br></div><div dir="ltr"> 3. Pass ip to server (erdosain9)<br></div><div dir="ltr"> 4. Re: Pass ip to server (Joey Officer)<br></div><div dir="ltr"> 5. Re: Filering HTTPS URLs - A complete configuration (Alex Rousskov)<br></div><div dir="ltr"> 6. Re: ssl-bump does not redirect to block page<br></div><div dir="ltr"> (<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>)<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">----------------------------------------------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 1<br></div><div dir="ltr">Date: Tue, 12 Feb 2019 14:21:34 +0000 (UTC)<br></div><div dir="ltr">From: "<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>" <<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>><br></div><div dir="ltr">To: <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr">Subject: [squid-users] ssl-bump does not redirect to block page<br></div><div dir="ltr">Message-ID: <<a ymailto="mailto:1479917107.2282419.1549981294109@mail.yahoo.com" href="mailto:1479917107.2282419.1549981294109@mail.yahoo.com">1479917107.2282419.1549981294109@mail.yahoo.com</a>><br></div><div dir="ltr">Content-Type: text/plain; charset="utf-8"<br></div><div dir="ltr"><br></div><div dir="ltr">Hi againDo i have to use CA and Certificate configuration if i want to block only HTTPS requests with splice action?!<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">https_port 3130 tproxy ssl-bump \<br></div><div dir="ltr"> cert=/etc/squid/ssl_cert/myCA.pem \<br></div><div dir="ltr"> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br></div><div dir="ltr"> sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB<br></div><div dir="ltr">-------------- next part --------------<br></div><div dir="ltr">An HTML attachment was scrubbed...<br></div><div dir="ltr">URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20190212/8311d242/attachment-0001.html</a>><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 2<br></div><div dir="ltr">Date: Tue, 12 Feb 2019 08:04:08 -0700<br></div><div dir="ltr">From: Alex Rousskov <<a ymailto="mailto:rousskov@measurement-factory.com" href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>><br></div><div dir="ltr">To: <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr">Subject: Re: [squid-users] ssl-bump does not redirect to block page<br></div><div dir="ltr">Message-ID:<br></div><div dir="ltr"> <<a ymailto="mailto:024a80a6-6b15-e9d8-06f9-b9645fbb3058@measurement-factory.com" href="mailto:024a80a6-6b15-e9d8-06f9-b9645fbb3058@measurement-factory.com">024a80a6-6b15-e9d8-06f9-b9645fbb3058@measurement-factory.com</a>><br></div><div dir="ltr">Content-Type: text/plain; charset=utf-8<br></div><div dir="ltr"><br></div><div dir="ltr">On 2/12/19 7:21 AM, <a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a> wrote:<br></div><div dir="ltr"><br></div><div dir="ltr">> Do i have to use CA and Certificate configuration if i want to block<br></div><div dir="ltr">> only HTTPS requests with splice action?!<br></div><div dir="ltr"><br></div><div dir="ltr">IIRC, you currently need a CA certificate if you want to use SslBump,<br></div><div dir="ltr">regardless of the SslBump actions in use. In some ways, this is a<br></div><div dir="ltr">limitation of the current SslBump implementation rather than a natural<br></div><div dir="ltr">requirement, but the CA certificate is needed when Squid reports an<br></div><div dir="ltr">error to the client because Squid has to bump the client connection to<br></div><div dir="ltr">report errors.<br></div><div dir="ltr"><br></div><div dir="ltr">If you do not care what happens when handling errors, then you probably<br></div><div dir="ltr">do not need to configure dynamic certificate generation. I have not<br></div><div dir="ltr">tested that, but I assume that, when reporting errors in that case,<br></div><div dir="ltr">Squid will silently revert to using the old code that generates<br></div><div dir="ltr">self-signed certificates (and the client will not trust them).<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">Please note that it is not clear what you mean by "to block with splice<br></div><div dir="ltr">action" -- splice does not block anything. If you are blocking requests<br></div><div dir="ltr">using http_access rules, then Squid is probably using an (implicit) bump<br></div><div dir="ltr">action to report blocking to the client, as discussed above. Blocking is<br></div><div dir="ltr">an example of errors that may happen even when you do not explicitly<br></div><div dir="ltr">bump any requests.<br></div><div dir="ltr"><br></div><div dir="ltr">Alex.<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">> https_port 3130 tproxy ssl-bump \<br></div><div dir="ltr">> cert=/etc/squid/ssl_cert/myCA.pem \<br></div><div dir="ltr">> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br></div><div dir="ltr">> sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 3<br></div><div dir="ltr">Date: Tue, 12 Feb 2019 09:14:45 -0600 (CST)<br></div><div dir="ltr">From: erdosain9 <<a ymailto="mailto:erdosain9@gmail.com" href="mailto:erdosain9@gmail.com">erdosain9@gmail.com</a>><br></div><div dir="ltr">To: <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr">Subject: [squid-users] Pass ip to server<br></div><div dir="ltr">Message-ID: <<a ymailto="mailto:1549984485300-0.post@n4.nabble.com" href="mailto:1549984485300-0.post@n4.nabble.com">1549984485300-0.post@n4.nabble.com</a>><br></div><div dir="ltr">Content-Type: text/plain; charset=us-ascii<br></div><div dir="ltr"><br></div><div dir="ltr">Hi.<br></div><div dir="ltr">I want to know if is possible that, for some site (sales.mydomain.com) the<br></div><div dir="ltr">proxy server send the "real ip".<br></div><div dir="ltr"><br></div><div dir="ltr">Because i want to see in the logs of sales.mydomain.com the real ip of the<br></div><div dir="ltr">machine that are going (and not the proxy ip).<br></div><div dir="ltr"><br></div><div dir="ltr">I know that i can see this in the log of squid... but, i want to know if it<br></div><div dir="ltr">is possible see this in the other server.<br></div><div dir="ltr"><br></div><div dir="ltr">Thanks to all.<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">--<br></div><div dir="ltr">Sent from: <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html" target="_blank">http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html</a><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 4<br></div><div dir="ltr">Date: Tue, 12 Feb 2019 16:49:58 +0000<br></div><div dir="ltr">From: Joey Officer <<a ymailto="mailto:JOfficer@istreamfs.com" href="mailto:JOfficer@istreamfs.com">JOfficer@istreamfs.com</a>><br></div><div dir="ltr">To: erdosain9 <<a ymailto="mailto:erdosain9@gmail.com" href="mailto:erdosain9@gmail.com">erdosain9@gmail.com</a>>,<br></div><div dir="ltr"> "<a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>"<br></div><div dir="ltr"> <<a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>><br></div><div dir="ltr">Subject: Re: [squid-users] Pass ip to server<br></div><div dir="ltr">Message-ID:<br></div><div dir="ltr"> <<a ymailto="mailto:DM5PR19MB1579C05FD36C83FF2D018DF8CD650@DM5PR19MB1579.namprd19.prod.outlook.com" href="mailto:DM5PR19MB1579C05FD36C83FF2D018DF8CD650@DM5PR19MB1579.namprd19.prod.outlook.com">DM5PR19MB1579C05FD36C83FF2D018DF8CD650@DM5PR19MB1579.namprd19.prod.outlook.com</a>><br></div><div dir="ltr"> <br></div><div dir="ltr">Content-Type: text/plain; charset="utf-8"<br></div><div dir="ltr"><br></div><div dir="ltr">I believe the option you are referring to is the 'forwarded_for' http header.<br></div><div dir="ltr"><br></div><div dir="ltr">Reference this: <a href="http://www.squid-cache.org/Doc/config/forwarded_for/" target="_blank">http://www.squid-cache.org/Doc/config/forwarded_for/</a><br></div><div dir="ltr"><br></div><div dir="ltr">Hope that helps you.<br></div><div dir="ltr"><br></div><div dir="ltr">-----Original Message-----<br></div><div dir="ltr">From: squid-users <<a ymailto="mailto:squid-users-bounces@lists.squid-cache.org" href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@lists.squid-cache.org</a>> On Behalf Of erdosain9<br></div><div dir="ltr">Sent: Tuesday, February 12, 2019 9:15 AM<br></div><div dir="ltr">To: <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr">Subject: [squid-users] Pass ip to server<br></div><div dir="ltr"><br></div><div dir="ltr">Hi.<br></div><div dir="ltr">I want to know if is possible that, for some site (sales.mydomain.com) the proxy server send the "real ip".<br></div><div dir="ltr"><br></div><div dir="ltr">Because i want to see in the logs of sales.mydomain.com the real ip of the machine that are going (and not the proxy ip).<br></div><div dir="ltr"><br></div><div dir="ltr">I know that i can see this in the log of squid... but, i want to know if it is possible see this in the other server.<br></div><div dir="ltr"><br></div><div dir="ltr">Thanks to all.<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">--<br></div><div dir="ltr">Sent from: <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html" target="_blank">http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html</a><br></div><div dir="ltr">_______________________________________________<br></div><div dir="ltr">squid-users mailing list<br></div><div dir="ltr"><a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr"><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 5<br></div><div dir="ltr">Date: Tue, 12 Feb 2019 14:48:51 -0700<br></div><div dir="ltr">From: Alex Rousskov <<a ymailto="mailto:rousskov@measurement-factory.com" href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>><br></div><div dir="ltr">To: <a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr">Subject: Re: [squid-users] Filering HTTPS URLs - A complete<br></div><div dir="ltr"> configuration<br></div><div dir="ltr">Message-ID:<br></div><div dir="ltr"> <<a ymailto="mailto:ed3096f0-fff0-2f8b-ddc5-e89cdbf92749@measurement-factory.com" href="mailto:ed3096f0-fff0-2f8b-ddc5-e89cdbf92749@measurement-factory.com">ed3096f0-fff0-2f8b-ddc5-e89cdbf92749@measurement-factory.com</a>><br></div><div dir="ltr">Content-Type: text/plain; charset=utf-8<br></div><div dir="ltr"><br></div><div dir="ltr">On 2/11/19 3:55 AM, Paul Doignon wrote:<br></div><div dir="ltr"><br></div><div dir="ltr">>> The closest you are going to get to the above is with:<br></div><div dir="ltr">>> * bump everything[1], and<br></div><div dir="ltr">>> * use http_access to check the https:// URLs for your policy<br></div><div dir="ltr">>> * use "deny_info TCP_RESET" [2] on the blocked requests.<br></div><div dir="ltr">>><br></div><div dir="ltr">>> [1] some things literally cannot be bumped. So a decision needs to be<br></div><div dir="ltr">>> made about what to do then.<br></div><div dir="ltr"><br></div><div dir="ltr">> I guess adding this second line will terminate those un-bumpable requests?<br></div><div dir="ltr"><br></div><div dir="ltr">No, that second ssl_bump line has no effect -- it will never be reached.<br></div><div dir="ltr"><br></div><div dir="ltr">You are probably misinterpreting what was meant by "literally cannot be<br></div><div dir="ltr">bumped". What was meant by that phrase was that bumping certain<br></div><div dir="ltr">connections always results in client and/or server errors, regardless of<br></div><div dir="ltr">how you configure Squid. In those cases, Squid will still perform the<br></div><div dir="ltr">bump action if you tell it to bump, but that action will not lead to a<br></div><div dir="ltr">functioning tunnel through Squid.<br></div><div dir="ltr"><br></div><div dir="ltr">In general, Squid itself cannot predict which connections can be<br></div><div dir="ltr">successfully bumped. You have to tell it (using ACLs, like the<br></div><div dir="ltr">whitelisted ACL in the example below).<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">> ssl_bump bump all<br></div><div dir="ltr">> ssl_bump terminate all<br></div><div dir="ltr"><br></div><div dir="ltr">The first line emulates client-first bumping. That is not what you want.<br></div><div dir="ltr"><br></div><div dir="ltr">To bump all connections, you could use something like this:<br></div><div dir="ltr"><br></div><div dir="ltr"> ssl_bump stare all<br></div><div dir="ltr"> ssl_bump bump all<br></div><div dir="ltr"><br></div><div dir="ltr">To bump all connections except whitelisted ones, you probably want<br></div><div dir="ltr">something like this:<br></div><div dir="ltr"><br></div><div dir="ltr"> ssl_bump splice whitelisted<br></div><div dir="ltr"> ssl_bump stare all<br></div><div dir="ltr"> ssl_bump bump all<br></div><div dir="ltr"><br></div><div dir="ltr">... where whitelisted is your ACL implementing your white listing policy<br></div><div dir="ltr">(i.e. matching TLS connections that should be spliced). It may use<br></div><div dir="ltr">ssl::server_name and probably other ACLs.<br></div><div dir="ltr"><br></div><div dir="ltr">More details at <a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice" target="_blank">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br></div><div dir="ltr"><br></div><div dir="ltr">Alex.<br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Message: 6<br></div><div dir="ltr">Date: Wed, 13 Feb 2019 06:22:43 +0000 (UTC)<br></div><div dir="ltr">From: "<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>" <<a ymailto="mailto:leomessi983@yahoo.com" href="mailto:leomessi983@yahoo.com">leomessi983@yahoo.com</a>><br></div><div dir="ltr">To: <<a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>><br></div><div dir="ltr">Subject: Re: [squid-users] ssl-bump does not redirect to block page<br></div><div dir="ltr">Message-ID: <<a ymailto="mailto:974828205.84661.1550038963335@mail.yahoo.com" href="mailto:974828205.84661.1550038963335@mail.yahoo.com">974828205.84661.1550038963335@mail.yahoo.com</a>><br></div><div dir="ltr">Content-Type: text/plain; charset="utf-8"<br></div><div dir="ltr"><br></div><div dir="ltr">>> aka the 'bump' action.<br></div><div dir="ltr"><br></div><div dir="ltr">> This part is misleading: Modern Squids _automatically_ bump connections<br></div><div dir="ltr">> to report [access denied] errors -- no explicit bump action is required<br></div><div dir="ltr">> (or even desirable). I do not know whether> * that bumping does not happen for leo (e.g., due to Squid bugs), or<br></div><div dir="ltr"><br></div><div dir="ltr">> * it does happen, but the browser refuses to show the error page anyway<br></div><div dir="ltr">> .(because of certificate pinning and/or because Squid did not have enough<br></div><div dir="ltr">> information to properly bump the client connection using just step1<br></div><div dir="ltr">> knowledge).<br></div><div dir="ltr"><br></div><div dir="ltr">> A packet capture or an ALL,2 cache.log may distinguish those two cases.<br></div><div dir="ltr"><br></div><div dir="ltr">> Alex.<br></div><div dir="ltr"><br></div><div dir="ltr">Hi Alex<br></div><div dir="ltr">Actually i don't understand if it could be done or not!!<br></div><div dir="ltr">Amos said it is impossible you said no!!<br></div><div dir="ltr">can you show me the correct configuration for blocking HTTPS requests with showing access denied page to clients?!<br></div><div dir="ltr"> <br></div><div dir="ltr">-------------- next part --------------<br></div><div dir="ltr">An HTML attachment was scrubbed...<br></div><div dir="ltr">URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/d8a98891/attachment.html" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20190213/d8a98891/attachment.html</a>><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Subject: Digest Footer<br></div><div dir="ltr"><br></div><div dir="ltr">_______________________________________________<br></div><div dir="ltr">squid-users mailing list<br></div><div dir="ltr"><a ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br></div><div dir="ltr"><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">End of squid-users Digest, Vol 54, Issue 24<br></div><div dir="ltr">*******************************************<br></div></div>
</div>
</div></body></html>