<div dir="ltr"><div>hi
<span class="gmail-im">Eliezer</span>,</div><div><br></div><div>unfortunately that did not work ie</div><div><br></div><div>
acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$<br>
acl NoSSLInterceptDstDom ssl::server_name .<a href="http://redshift3d.com" rel="noreferrer" target="_blank">redshift3d.com</a><br>
<br>
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptRegEx<br>
<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLInterceptAnyOf<br>
ssl_bump bump all <br></div><div><br></div><div>but strange is on the firewall if i make a rule for that network, port 80, 443 to access
<a href="http://redshift3d.com" rel="noreferrer" target="_blank">redshift3d.com</a> it works, so ive narrowed it down to the squid <br></div><div><br></div><div>thanks,</div><div>rob<br></div><div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 29 Jun 2023 at 11:40, <<a href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hey Rob,<br>
<br>
it’s a great question.<br>
I will assume you are using squid 5.x since it’s the stable one.<br>
There is a configuration reference documentation at:<br>
<a href="http://www.squid-cache.org/Versions/v5/cfgman/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Versions/v5/cfgman/</a><br>
<br>
And the relevant one is ‘acl’:<br>
<a href="http://www.squid-cache.org/Versions/v5/cfgman/acl.html" rel="noreferrer" target="_blank">http://www.squid-cache.org/Versions/v5/cfgman/acl.html</a><br>
<br>
In the config we the next options:<br>
* dstdom_regex<br>
* dstdomain<br>
* ssl::server_name<br>
* ssl::server_name_regex<br>
<br>
Each one of them is different in two things.<br>
The dstdomain is happening when the http request verification is done, usually in the http_access part.<br>
So for a CONNECT request in your case it should work but will only work for http_access rules ie allow or deny the connection to being proxied by the proxy.<br>
All this happens before the bump stage.<br>
The dstdom_regex is doing the same but with another "lookup" mechanism.<br>
Just to illustrate we will use the domain <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a>.<br>
<br>
With dstdomain .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> which is a wildcard domain the www.example .com will match since what it does it..<br>
Take apart the .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> into .com and .example and example (logically, not the code actually does..)<br>
Then when a request for <a href="http://www.example-2.com" rel="noreferrer" target="_blank">www.example-2.com</a> arrives the dstdomain acl checks the strings one by one ie:<br>
com<br>
example-2<br>
www<br>
<br>
So the "com" would match and since it has a dot "." as a prefix it continues to the next part of the domain name ie:<br>
example-2<br>
<br>
and it will try to match it to "example" from the ".<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>'.<br>
then it will fail and there for it will declare the specific definition in the acl as "do not match.<br>
But for www.example .com it would be different:<br>
<br>
Squid will find that the .com is in the "com" part of <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> and will continue to the next part ie<br>
"example" and it will match.<br>
Then it will see the dot "." which means that all subdomains are a part of this rule ie both <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> and any other domain<br>
under .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> will match so... <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> and <a href="http://www2.example.com" rel="noreferrer" target="_blank">www2.example.com</a> and <a href="http://w.example.com" rel="noreferrer" target="_blank">w.example.com</a> will match and this is compared to<br>
<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
<br>
with dstdomain <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> it will only match a full match of <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> but not <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> and it's pointless to define both:<br>
- <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
- .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
<br>
In the same acl file.<br>
Squid will compare it to the basic proxy url request and the Host: header inside of it.<br>
(Amos might remember which one of these wins or which one is the main one)<br>
<br>
So that's how a dstdomain test works.<br>
The dstdom_regex is applied on the same "part" of the proxy request ie request url and Host header but...<br>
Tries to match it with a regex that is a much more "CPU" intensive but can do magic if you know how to use it right.<br>
The pros are that you can use one regex to match about 100 domains however dstdomain is much faster in many cases.<br>
To test regex in general I love:<br>
<a href="https://rubular.com/" rel="noreferrer" target="_blank">https://rubular.com/</a><br>
<br>
and it's very simple to put a line with the url or the domain itself and write the pattern and then get instant result.<br>
There are many sites which does this exact same thing.<br>
You need: <a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a> for the test.<br>
<br>
For the server_name dstdom and regex the difference is on what part of the "known" information on the request done.<br>
Ie it's not on the known plain text proxy request but a "peek" into the client or server TLS part of the connection bumping.<br>
It's possible on TLS 1.2 with ease but 1.3 with encryption it's a whole other story.<br>
(Alex and his team is more involved in this part then me)<br>
<br>
It's a bit more complex in the server_name part since from what I remember the server_name can be the SNI itself or parts of the<br>
certificate of the server.<br>
In the certificate of the server in many cases there is no real domain but a catch all ie multidomain which is for example:<br>
*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
<br>
The ssl::server_name is like dstdomain so .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> should match both SNI with <a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> and the *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
If it doesn't then it’s a bug..<br>
<br>
About the ssl::server_name_regex you will need to test and match the regex against couple possibilities that are in the certificate ie:<br>
*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
<a href="http://activation.example.com" rel="noreferrer" target="_blank">activation.example.com</a><br>
<br>
etc...<br>
<br>
The current certificate I see is:<br>
Certificate:<br>
Data:<br>
Version: 3 (0x2)<br>
Serial Number:<br>
c0:71:02:fc:1f:e5:64:5b:0d:d6:ae:c8:1a:17:e6:80<br>
Signature Algorithm: sha256WithRSAEncryption<br>
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA<br>
Validity<br>
Not Before: Dec 14 00:00:00 2022 GMT<br>
Not After : Jan 12 23:59:59 2024 GMT<br>
Subject: CN = <a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a><br>
Subject Public Key Info:<br>
Public Key Algorithm: rsaEncryption<br>
RSA Public-Key: (2048 bit)<br>
Modulus:<br>
00:cd:f9:bd:58:a4:7a:16:3f:23:12:9d:e0:1e:39:<br>
a0:ef:66:ae:b3:ae:32:5c:69:9e:cc:89:83:fb:a2:<br>
e0:c7:9d:86:aa:e6:9b:b3:d9:0c:bb:35:36:2f:cf:<br>
be:ec:1e:62:ca:d8:ab:16:66:6e:00:8d:f7:42:3d:<br>
5b:d6:bf:a0:30:a1:c2:6f:5e:69:76:ef:0c:38:73:<br>
d2:e8:42:b8:83:04:a3:2c:da:22:a4:c4:13:71:38:<br>
36:00:1b:e7:b3:f0:fe:6e:59:17:11:e7:0a:81:3e:<br>
04:b2:ad:e0:61:c1:15:f3:9a:36:33:24:a6:f1:0d:<br>
b6:e6:32:91:34:54:7c:da:40:14:72:06:25:91:78:<br>
75:07:84:62:47:7b:3f:05:60:e6:35:d3:27:55:1e:<br>
ff:23:82:18:09:f5:8a:0f:a6:cb:02:bc:d6:09:98:<br>
54:5b:10:e3:d2:09:4e:31:2a:75:42:29:00:86:9b:<br>
f9:78:2f:fd:99:9e:2e:10:3e:bc:84:f5:9b:3a:3f:<br>
fa:d9:b6:20:c0:2e:86:f3:de:14:be:3a:1a:05:30:<br>
3b:00:e6:50:8d:4c:13:a3:97:dc:f4:03:9e:84:31:<br>
0d:23:f2:02:50:6d:53:a5:30:03:b0:fd:f2:46:64:<br>
49:22:a4:d1:5a:00:fb:78:37:fc:51:b1:f0:6e:41:<br>
3b:5d<br>
Exponent: 65537 (0x10001)<br>
X509v3 extensions:<br>
X509v3 Authority Key Identifier:<br>
keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1<br>
<br>
X509v3 Subject Key Identifier:<br>
5D:BC:D9:F2:C4:99:83:5E:C0:3A:F1:BF:FE:F2:E3:92:92:F1:F0:29<br>
X509v3 Key Usage: critical<br>
Digital Signature, Key Encipherment<br>
X509v3 Basic Constraints: critical<br>
CA:FALSE<br>
X509v3 Extended Key Usage:<br>
TLS Web Server Authentication, TLS Web Client Authentication<br>
X509v3 Certificate Policies:<br>
Policy: 1.3.6.1.4.1.6449.1.2.2.7<br>
CPS: <a href="https://sectigo.com/CPS" rel="noreferrer" target="_blank">https://sectigo.com/CPS</a><br>
Policy: 2.23.140.1.2.1<br>
<br>
Authority Information Access:<br>
CA Issuers - URI:<a href="http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt" rel="noreferrer" target="_blank">http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt</a><br>
OCSP - URI:<a href="http://ocsp.sectigo.com" rel="noreferrer" target="_blank">http://ocsp.sectigo.com</a><br>
<br>
X509v3 Subject Alternative Name:<br>
DNS:<a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a>, DNS:<a href="http://www.activate.redshift3d.com" rel="noreferrer" target="_blank">www.activate.redshift3d.com</a><br>
CT Precertificate SCTs:<br>
Signed Certificate Timestamp:<br>
Version : v1 (0x0)<br>
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:<br>
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74<br>
Timestamp : Dec 14 15:34:39.227 2022 GMT<br>
Extensions: none<br>
Signature : ecdsa-with-SHA256<br>
30:44:02:20:6E:D0:96:68:F3:07:A0:5F:DD:C5:B2:61:<br>
2F:51:6B:06:4A:3C:7F:9B:DA:08:6D:5A:31:0D:B8:0B:<br>
83:7D:D6:37:02:20:64:66:3F:A2:40:87:78:9E:C8:90:<br>
7C:EE:7C:77:3C:BB:43:C1:9F:52:54:F1:04:85:B6:AC:<br>
6B:F2:36:8E:E3:03<br>
Signed Certificate Timestamp:<br>
Version : v1 (0x0)<br>
Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:<br>
67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17<br>
Timestamp : Dec 14 15:34:39.153 2022 GMT<br>
Extensions: none<br>
Signature : ecdsa-with-SHA256<br>
30:44:02:20:69:BA:F2:DD:32:B3:48:0C:26:E3:FB:F0:<br>
DD:4E:5E:10:95:1E:B4:59:5B:67:64:C4:F2:40:7C:A8:<br>
62:35:71:FE:02:20:13:15:41:26:E5:9C:DB:34:DA:D7:<br>
B9:CB:B3:1A:4E:33:C7:46:7F:D9:93:45:25:7F:DE:A3:<br>
72:EB:07:03:DB:C5<br>
Signed Certificate Timestamp:<br>
Version : v1 (0x0)<br>
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:<br>
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B<br>
Timestamp : Dec 14 15:34:39.124 2022 GMT<br>
Extensions: none<br>
Signature : ecdsa-with-SHA256<br>
30:45:02:20:2C:E2:85:9C:A6:54:1B:1C:31:E5:F8:37:<br>
E9:CD:09:8B:D8:26:29:E4:C7:65:94:9C:FF:32:D2:41:<br>
CD:16:A3:51:02:21:00:A0:2F:C3:F7:A6:55:3B:21:EB:<br>
9B:CA:6E:4E:07:A2:8C:40:4B:E2:27:D6:82:44:0F:09:<br>
C9:F7:7D:1B:72:6F:13<br>
Signature Algorithm: sha256WithRSAEncryption<br>
25:bd:bb:de:57:c0:7f:07:5e:18:62:2e:0b:d3:03:54:a7:45:<br>
ab:c6:1f:e2:f6:58:ff:6e:8e:6b:4f:09:9a:87:66:32:81:7f:<br>
f4:35:4f:7e:65:e5:6a:04:d6:62:62:ff:d9:3a:f2:6f:19:ba:<br>
fa:e6:35:0e:2a:44:5c:3b:ee:9d:97:72:05:86:0c:4c:01:c1:<br>
f0:8c:21:c1:c4:84:54:d8:a8:05:25:18:72:db:f7:53:9b:f1:<br>
13:d6:0b:bc:92:6e:01:e3:fd:de:a1:45:e9:29:37:e1:2e:64:<br>
36:b4:4d:38:c1:60:02:6a:17:3d:87:a2:5f:33:3b:86:eb:0d:<br>
cc:dd:fa:d4:43:58:50:43:e7:b7:ec:0a:4f:86:72:15:e5:30:<br>
c9:bb:5f:0b:83:9c:26:6f:60:49:dd:1a:7c:92:45:45:4e:b5:<br>
ce:cd:64:8c:12:83:e9:3d:5c:6b:65:97:75:99:4c:66:eb:d0:<br>
3a:ca:18:62:8a:08:07:16:ab:09:66:bd:65:43:94:00:d9:79:<br>
3e:84:b4:60:7d:7e:f9:09:3c:fe:2d:ad:98:94:17:0c:24:8f:<br>
e1:a2:74:b6:3b:68:c0:01:f9:67:e8:b9:d2:6a:65:9e:99:a3:<br>
4a:5f:39:31:ae:c1:59:02:7b:ef:db:b2:94:06:f8:1a:74:c1:<br>
d7:5b:5b:6a<br>
<br>
So the DNS names it will check are:<br>
Subject: CN = <a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a><br>
DNS:<a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a>, DNS:<a href="http://www.activate.redshift3d.com" rel="noreferrer" target="_blank">www.activate.redshift3d.com</a><br>
<br>
So to summarize the checks of ssl::server_name/ will be done on:<br>
* <a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a><br>
* <a href="http://activate.redshift3d.com" rel="noreferrer" target="_blank">activate.redshift3d.com</a><br>
* <a href="http://www.activate.redshift3d.com" rel="noreferrer" target="_blank">www.activate.redshift3d.com</a><br>
<br>
So . <a href="http://redshift3d.com" rel="noreferrer" target="_blank">redshift3d.com</a> ssl::server_name should match the certificate.<br>
If for any reason it doesn't work you can try ssl::server_name_regex with something like:<br>
(^|\.)activate\.redshift3d\.com$<br>
<br>
Or just to verify if there is a bug in squid code try:<br>
(^|\.)activate\.redshift3d\.com<br>
<br>
Now, the splice should be able to take into account also dstdomain and dstdom_regex but it should match them only if they exist in a plain text<br>
form like in any simple forward proxy CONNECT request.<br>
If for any reason it doesn’t work we should investigate what might cause this issue.<br>
<br>
I hope the scroll I wrote make sense to you and with hopes it will clear out the doubts about the wiki article you mentioned.<br>
I believe this is considered a summary of the subject and if Alex and others might think so it can be converted into an example article in the wiki.<br>
<br>
Let me know if this makes sense and resolve the issue.<br>
<br>
Yours,<br>
Eliezer<br>
<br>
From: robert k Wild <<a href="mailto:robertkwild@gmail.com" target="_blank">robertkwild@gmail.com</a>> <br>
Sent: Thursday, June 29, 2023 12:18<br>
To: <a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a><br>
Cc: Squid Users <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Subject: Re: [squid-users] make URL bypass squid proxy<br>
<br>
very clever, so you bunch all the acls up <br>
<br>
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile <br>
<br>
the key word is "any-of" ie if the url hits any one do that first<br>
<br>
what about instead of making it <br>
<br>
ssl::server_name_regex <br>
<br>
i make it<br>
<br>
dstdom_regex<br>
<br>
On Thu, 29 Jun 2023 at 01:38, <mailto:<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a>> wrote:<br>
Hey Rob,<br>
<br>
The first thing is to allow the domain in the http_acces just to be sure and use a basic deny all bottom line.<br>
Let me try to simplify your squid.conf<br>
In a link:<br>
<a href="https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e" rel="noreferrer" target="_blank">https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e</a><br>
<br>
In plain text:<br>
## START OF FILE<br>
# SSL Interception basic rules<br>
acl DiscoverSNIHost at_step SslBump1<br>
<br>
acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$<br>
acl NoSSLInterceptRegExFile ssl::server_name_regex "/usr/local/squid/etc/no-intercept-ssl-regex.txt"<br>
<br>
acl NoSSLInterceptDstDom ssl::server_name .<a href="http://redshift3d.com" rel="noreferrer" target="_blank">redshift3d.com</a><br>
acl NoSSLInterceptDstDomFile ssl::server_name "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"<br>
<br>
## Any of will test what ever rule match first in a first match/hit fasion<br>
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile<br>
<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLInterceptAnyOf<br>
ssl_bump bump all<br>
<br>
#SSL Bump port<br>
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br>
<br>
## http_access acls, will apply on incomming requests and not on responses<br>
acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/<br>
acl special_url_regex_file url_regex "/usr/local/squid/etc/special_url_regex.txt"<br>
<br>
acl special_url_dst_dom dstdomain .<a href="http://redshift3d.com" rel="noreferrer" target="_blank">redshift3d.com</a><br>
acl special_url_dst_dom_file dstdomain "/usr/local/squid/etc/special_url_dstdom.txt"<br>
<br>
acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file special_url_regex special_url_regex_file<br>
<br>
acl localnet src <a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">http://192.168.0.0/16</a><br>
acl localnet src <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a><br>
<br>
http_access allow localnet special_url_any_of<br>
http_access deny all<br>
## END OF FILE<br>
<br>
Once the above will work try to add other http_access rule like reply access rules<br>
<br>
Let me know what happens,<br>
Eliezer<br>
<br>
From: robert k Wild <mailto:<a href="mailto:robertkwild@gmail.com" target="_blank">robertkwild@gmail.com</a>> <br>
Sent: Tuesday, June 27, 2023 09:36<br>
To: mailto:<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a><br>
Cc: Squid Users <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Subject: Re: [squid-users] make URL bypass squid proxy<br>
<br>
Hi Eliezer,<br>
<br>
this is a snippet of my whitelist and no intercept SSL config<br>
<br>
#SSL Interception<br>
acl DiscoverSNIHost at_step SslBump1<br>
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLIntercept<br>
ssl_bump bump all<br>
#<br>
#SSL Bump<br>
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br>
#<br>
#deny up MIME types<br>
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"<br>
#<br>
#deny URL links<br>
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"<br>
#<br>
#allow special URL paths<br>
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"<br>
#<br>
#deny down MIME types<br>
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"<br>
#<br>
http_reply_access allow special_url<br>
http_reply_access deny downmime<br>
#http_access deny upmime<br>
#http_access deny url_links<br>
#<br>
#HTTP_HTTPS whitelist websites<br>
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"<br>
#<br>
http_access allow activation whitelist<br>
http_access deny all<br>
<br>
so basically no SSL interception<br>
<br>
#SSL Interception<br>
acl DiscoverSNIHost at_step SslBump1<br>
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"<br>
ssl_bump peek DiscoverSNIHost<br>
ssl_bump splice NoSSLIntercept<br>
ssl_bump bump all <br>
<br>
and whitelisting<br>
<br>
#HTTP_HTTPS whitelist websites<br>
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" <br>
<br>
in both txt files ie<br>
<br>
/usr/local/squid/etc/interceptssl.txt <br>
/usr/local/squid/etc/urlwhite.txt <br>
<br>
i have a URL that first i have to whitelist and then if i want squid not to inspect the url traffic i put it in the SSL interception (i do this as some websites dont like MITM )<br>
<br>
but even putting the URL in question in both files im still having issues with this website ie its still being detected that its passing through a proxy<br>
<br>
thanks,<br>
rob<br>
<br>
On Mon, 26 Jun 2023 at 23:35, <mailto:<a href="mailto:mailto" target="_blank">mailto</a>:<a href="mailto:ngtech1ltd@gmail.com" target="_blank">ngtech1ltd@gmail.com</a>> wrote:<br>
Hey Robert,<br>
<br>
I am not sure what forward proxy setup you have there.<br>
A simple forward proxy?<br>
What tool are you using for whitelisting?<br>
You can use an external acl helper to allow dynamic updates of the whitelists or<br>
to periodic update your lists and reload.<br>
It will depend on the size of your lists.<br>
What OS are you using for your squid proxy?<br>
<br>
More details will help us help you.<br>
<br>
Eliezer<br>
<br>
From: squid-users <mailto:<a href="mailto:mailto" target="_blank">mailto</a>:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>> On Behalf Of robert k Wild<br>
Sent: Monday, June 26, 2023 22:25<br>
To: Squid Users <mailto:<a href="mailto:mailto" target="_blank">mailto</a>:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
Subject: [squid-users] make URL bypass squid proxy<br>
<br>
hi all,<br>
<br>
i have set up squid for url whitelisting and no intercept SSL (see below)<br>
<br>
<a href="https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts</a><br>
<br>
but some websites i want the client to bypass the squid proxy and go straight to the website as i think this is why a url isnt working even when i add the url to both files ie urlwhite and no intercept SSL<br>
<br>
<br>
<br>
thanks,<br>
rob<br>
<br>
-- <br>
Regards, <br>
<br>
Robert K Wild.<br>
<br>
<br>
-- <br>
Regards, <br>
<br>
Robert K Wild.<br>
<br>
<br>
-- <br>
Regards, <br>
<br>
Robert K Wild.<br>
<br>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div>