<html data-lt-installed="true">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<lt-highlighter class="lt--thunderbird" style="display: none;"
contenteditable="false"><lt-div spellcheck="false"
class="lt-highlighter__wrapper" style="width: 1890px !important;
height: 3995.8px !important; transform: none !important;
transform-origin: 945px 1997.9px 0px !important; margin-top: 8px
!important; margin-left: 8px !important;"><lt-div
class="lt-highlighter__scroll-element" style="top: 0px
!important; left: 0px !important; width: 2618px !important;
height: 4013px !important;"><canvas
class="lt-highlighter__canvas" width="570" height="167"
style="display: none; top: 0px !important; left: 0px
!important;"></canvas></lt-div></lt-div></lt-highlighter><body
data-lt-tmp-id="lt-858083" spellcheck="false" data-gramm="false">
<pre>Hi everyone ,
if i put whitelist_regex in below config which domains i was try browse in browser it's says <b>SSL_ERROR_RX_RECORD_TOO_LONG</b></pre>
<pre>
Thanks,
Udhayakumar.
</pre>
<div class="moz-cite-prefix">On 2/5/25 4:17 PM, udhayakumar wrote:<br>
</div>
<blockquote type="cite"
cite="mid:37b911c2-faa0-8679-0032-76d4ab92261b@fatpipeinc.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<lt-highlighter class="lt--thunderbird" style="display: none;"
contenteditable="false"><lt-div spellcheck="false"
class="lt-highlighter__wrapper" style="width: 1890px
!important; height: 3655px !important; transform: none
!important; transform-origin: 945px 1827.5px 0px !important;
margin-top: 8px !important; margin-left: 8px !important;"><lt-div
class="lt-highlighter__scroll-element" style="top: 0px
!important; left: 0px !important; width: 2607px !important;
height: 3675px !important;"><canvas
class="lt-highlighter__canvas" width="975" height="987"
style="display: none; top: 34px !important; left: 49px
!important;"></canvas><canvas
class="lt-highlighter__canvas" width="1007" height="222"
style="display: none; top: 34px !important; left: 1024px
!important;"></canvas><canvas
class="lt-highlighter__canvas" width="88" height="18"
style="display: none; top: 153px !important; left: 2109px
!important;"></canvas><canvas
class="lt-highlighter__canvas" width="311" height="1017"
style="display: none; top: 1024px !important; left: 0px
!important;"></canvas><canvas
class="lt-highlighter__canvas" width="649" height="1013"
style="display: none; top: 2048px !important; left: 0px
!important;"></canvas><canvas
class="lt-highlighter__canvas" width="571" height="579"
style="display: none; top: 3077px !important; left: 6px
!important;"></canvas></lt-div></lt-div></lt-highlighter>
<pre>Hi everyone,
i have facing the small issue i Need to bypass the some domains like bank and general domains google and yahoo like search engine. currently i was doing doing ssl bump all the sites how to bypass the domains or without decrypt the
connection how to create connection between server and client. below is my config
=================================================================
http_port 3128
http_port 3129 tproxy
https_port 3127 tproxy ssl-bump cert=/etc/squid_av/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:RC4:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=ALL:NO_SSLv3
#don't verifying peer & allow accept with validate and error
#tls_outgoing_options flags=DONT_VERIFY_PEER
tls_outgoing_options flags=DONT_VERIFY_DOMAIN
tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
icp_port 0
digest_generation off
error_default_language en
#logformat icap_squid %tl %>a %>p %<A %la %lp %<la %<lp %tr %dt
#icap_log /var/log/squid/access.log
#logformat customlog (%tl) source_ip=%>a src_port=%>p user=%ui [%tl] "%rm %ru HTTP/%rv" status=%>Hs size=%<st user_agent="%{User-Agent}>h"
cache_log /var/log/squid/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable off
log_icp_queries off
logfile_rotate 1
# squid worker config optmize based on processor
workers 16
cpu_affinity_map process_numbers=1,2, cores=1,3
# certificate mimic
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB -b 2048
logfile_rotate 2
debug_options rotate=2
#proxy options
hosts_file /etc/hosts
fqdncache_size 6000
visible_hostname fatpipe_proxy
collapsed_forwarding on
forwarded_for transparent
via on
httpd_suppress_version_string on
uri_whitespace strip
shutdown_lifetime 3 seconds
url_rewrite_host_header on
#loggiing strop
strip_query_terms on
#cache option Amount RAM half
cache_mem 8096 MB
memory_cache_mode always
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
#cache allocation disk store block by block it's helps disk i/o
cache_dir rock /var/spool/rockfs/squid_cache 20000 max-size=32768 max-swap-rate=250 swap-timeout=200
max_stale 1 week
on_unsupported_protocol tunnel
offline_mode off
#cache low and high mark
cache_swap_low 90
cache_swap_high 96
cache allow all
#pipelining for HTTP pipelining
pipeline_prefetch 6
acl SSL_ports port 443 #https
acl SSL_ports port 563 #https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl purge method PURGE
acl CONNECT method CONNECT
#new tweak
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl allsrc src all
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl windowsupdate dstdomain windowsupdate.microsoft.com
cl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain <a class="moz-txt-link-abbreviated" href="http://www.download.windowsupdate.com" moz-do-not-send="true">www.download.windowsupdate.com</a>
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain <a class="moz-txt-link-abbreviated" href="http://www.update.microsoft.com" moz-do-not-send="true">www.update.microsoft.com</a>
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
#skip lan subnet
#acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
#sslproxy_cert_error allow localnet DomainMismatch
#sslproxy_cert_error deny all
# Define a list of websites to skip the proxy
#acl sslwhitelist ssl::server_name_regex -i "/etc/squid_av/whitelist_regex.acl"
#acl allowed_sites ssl::server_name "/etc/squid_av/whitelist.acl"
#acl local-external dstdomain .google.com .icicibank.com
#always_direct allow local-external
#acl allowed_sites ssl::server_name .foo.com .hdfcbank.com .copilot.microsoft.com
#sslproxy_cert_error allow allowed_sites
host_verify_strict off
ssl_bump peek step1
#ssl_bump splice sslwhitelist
#ssl_bump splice allowed_sites
ssl_bump bump all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
#request header config
quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
#delay_pools config
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
#acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
#delay_access 1 allow throttle_exts
#delay_access 1 deny allsrc
# Set YouTube safesearch restriction
#acl youtubedst dstdomain -n <a class="moz-txt-link-abbreviated" href="http://www.youtube.com" moz-do-not-send="true">www.youtube.com</a> m.youtube.com youtubei.googleapis.com youtube.googleapis.com <a class="moz-txt-link-abbreviated" href="http://www.youtube-nocookie.com" moz-do-not-send="true">www.youtube-nocookie.com</a>
#request_header_access YouTube-Restrict deny all
#request_header_add YouTube-Restrict moderate youtubedst
ssl_bump peek step1
ssl_bump bump all
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_resp allow all
#debug_options ALL,1
sslproxy_cert_error allow all
negative_ttl 0 seconds
negative_dns_ttl 1 second
# Leave coredumps in the first cache dir
coredump_dir /var/log/dump/squid
/udhayakumar.
</pre>
<lt-toolbar class="lt--thunderbird" style="display: none;"
data-lt-adjust-appearance="true"
data-lt-force-appearance="light" contenteditable="false"><lt-div
class="lt-toolbar__wrapper" style="left: 1880px; position:
fixed !important; top: auto !important; bottom: 12px
!important; z-index: auto;"><lt-div class="lt-toolbar__extras"><lt-span
class="lt-toolbar__disable-icon"><lt-comp-icon
class="lt-icon--disable lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span
class="lt-icon__icon lt-icon__disable"></lt-span></lt-comp-icon></lt-span><lt-div
class="lt-toolbar__divider"></lt-div><lt-div
class="lt-toolbar__premium-icon
lt-toolbar__premium-icon--visible
lt-toolbar__premium-icon--has-2-errors"></lt-div><lt-span
class="lt-toolbar__rephrasing-icon"><lt-comp-icon
class="lt-icon--rephrasing lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span
class="lt-icon__icon lt-icon__rephrasing"></lt-span></lt-comp-icon></lt-span><lt-span
class="lt-toolbar__rephrasing-icon
lt-toolbar__rephrasing-icon--disabled
lt-toolbar__rephrasing-icon--hidden"><lt-comp-icon
class="lt-icon--rephrasing lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span
class="lt-icon__icon lt-icon__rephrasing"></lt-span></lt-comp-icon></lt-span></lt-div><lt-div
class="lt-toolbar__status-icon
lt-toolbar__status-icon--has-errors
lt-toolbar__status-icon--has-99plus-errors
lt-toolbar__status-icon--has-premium-errors
lt-toolbar__status-icon--has-2-premium-errors" title=""></lt-div><lt-div
class="lt-toolbar__premium-icon-dot
lt-toolbar__premium-icon-dot--visible"></lt-div></lt-div></lt-toolbar>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
</body>
<lt-toolbar class="lt--thunderbird" style="display: none;"
data-lt-adjust-appearance="true" data-lt-force-appearance="light"
contenteditable="false"><lt-div class="lt-toolbar__wrapper"
style="left: 1880px; position: fixed !important; top: auto
!important; bottom: 12px !important; z-index: auto;"><lt-div
class="lt-toolbar__extras"><lt-span
class="lt-toolbar__disable-icon"><lt-comp-icon
class="lt-icon--disable lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span class="lt-icon__icon
lt-icon__disable"></lt-span></lt-comp-icon></lt-span><lt-div
class="lt-toolbar__divider"></lt-div><lt-div
class="lt-toolbar__premium-icon"></lt-div><lt-span
class="lt-toolbar__rephrasing-icon
lt-toolbar__rephrasing-icon--disabled"><lt-comp-icon
class="lt-icon--rephrasing lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span class="lt-icon__icon
lt-icon__rephrasing"></lt-span></lt-comp-icon></lt-span><lt-span
class="lt-toolbar__rephrasing-icon
lt-toolbar__rephrasing-icon--disabled
lt-toolbar__rephrasing-icon--hidden"><lt-comp-icon
class="lt-icon--rephrasing lt-icon--clickable"
data-lt-prevent-focus="true"><lt-span class="lt-icon__icon
lt-icon__rephrasing"></lt-span></lt-comp-icon></lt-span></lt-div><lt-div
class="lt-toolbar__status-icon lt-toolbar__status-icon--loading
lt-toolbar__status-icon--has-errors
lt-toolbar__status-icon--has-7-errors" title=""></lt-div><lt-div
class="lt-toolbar__premium-icon-dot"></lt-div></lt-div></lt-toolbar>
</html>