<div dir="ltr"><div>hi all,</div><div><br></div><div>before i continue, so sorry for the stupid question but trying to learn</div><div><br></div><div>basically heres my squid.conf</div><div><br></div><div>#NO SSL Interception<br>acl DiscoverSNIHost at_step SslBump1<br>acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointerceptssl.txt"<br>ssl_bump splice NoSSLIntercept<br>ssl_bump peek DiscoverSNIHost<br>ssl_bump bump all<br><br>#SSL Bump<br>http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br>#<br>#allow special URL paths<br>acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"<br><br>#deny MIME types<br>acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"<br><br>http_reply_access allow special_url<br>http_reply_access deny mimetype<br>#<br>#HTTP_HTTPS whitelist websites<br>acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"<br><br>#HTTP_HTTPS whitelist websites regex<br>acl whitelistreg ssl::server_name_regex "/usr/local/squid/etc/urlregwhite.txt"<br><br>http_access allow activation whitelist<br>http_access allow activation whitelistreg<br>http_access deny all</div><div><br></div><div>in my urlwhitelist is this<br></div><div><br></div><div>#apple app store<br>.<a href="http://p18-buy.itunes.apple.com">p18-buy.itunes.apple.com</a><br>.<a href="http://gsas.apple.com">gsas.apple.com</a><br>.<a href="http://se-edge.itunes.apple.com">se-edge.itunes.apple.com</a><br>.<a href="http://ocsp2.apple.com">ocsp2.apple.com</a><br>.<a href="http://gsa.apple.com">gsa.apple.com</a><br>.<a href="http://osxapps.itunes.apple.com">osxapps.itunes.apple.com</a><br>.<a href="http://xp.apple.com">xp.apple.com</a><br>.<a href="http://search.itunes.apple.com">search.itunes.apple.com</a><br>.<a href="http://apptrailers-ssl.itunes.apple.com">apptrailers-ssl.itunes.apple.com</a><br>.<a href="http://apptrailers.itunes.apple.com">apptrailers.itunes.apple.com</a><br>.<a href="http://configuration.apple.com">configuration.apple.com</a><br>.<a href="http://amp-api.apps.apple.com">amp-api.apps.apple.com</a><br>.<a href="http://buy.itunes.apple.com">buy.itunes.apple.com</a><br>.<a href="http://api-edge.apps.apple.com">api-edge.apps.apple.com</a><br>.<a href="http://play.itunes.apple.com">play.itunes.apple.com</a><br>.<a href="http://s.mzstatic.com">s.mzstatic.com</a><br>.<a href="http://sf-api-token-service.itunes.apple.com">sf-api-token-service.itunes.apple.com</a><br>.<a href="http://apps.mzstatic.com">apps.mzstatic.com</a><br>.<a href="http://init.itunes.apple.com">init.itunes.apple.com</a><br>.<a href="http://bag.itunes.apple.com">bag.itunes.apple.com</a></div><div><br></div><div>in my nointerceptssl is this</div><div><br></div><div>#apple app store<br>.<a href="http://bag.itunes.apple.com">bag.itunes.apple.com</a><br>.<a href="http://apps.mzstatic.com">apps.mzstatic.com</a><br>.<a href="http://play.itunes.apple.com">play.itunes.apple.com</a><br>.<a href="http://api-edge.apps.apple.com">api-edge.apps.apple.com</a><br>.<a href="http://amp-api.apps.apple.com">amp-api.apps.apple.com</a><br>.<a href="http://xp.apple.com">xp.apple.com</a><br>.<a href="http://p18-buy.itunes.apple.com">p18-buy.itunes.apple.com</a></div><div><br></div><div>i got all the urls etc looking at tail -f access.log and greping the ip and tcp denied</div><div><br></div><div>but when i try to load the apple app store the whitelist isnt enough, i need to add a couple of urls to the nointerceptssl</div><div><br></div><div>i got that list by doing the same method ieĀ
looking at tail -f access.log and greping the ip but as ive already whitelisted the urls they all came back as none or ok instead of saying tcp denied</div><div><br></div><div>my question is why do i need to add some urls to the nointerceptssl and why isnt it enough just to add it to urlwhite list</div><div><br></div><div>rob<br></div><div><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div></div></div>