[squid-users] ssl_crtd breaks after short time

Klavs Klavsen kl at vsen.dk
Thu Jun 4 15:34:41 UTC 2015


I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..

I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it works when https is envolved.. it
works as intended with http..

Klavs Klavsen wrote on 2015-06-04 16:50:
> Amos Jeffries wrote on 06/04/2015 04:19 PM:
>> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> after moving it here:
>>>
>>> http_access allow okweb-urls testsrv1
>>> http_access allow CONNECT bumpedPorts
>>> http_access deny all
>>>
>>> it still allows everything..
>>
>> Sigh. Sorry I must be half aslep right now.
>>
>> Your rules say:
>>
>>    allow ...
>>    allow ...
>>    allow ...
>>
>> So why would anything be denied?
>>
> 
> last line says: deny all
> 
> and it works for http urls.. it denies the websites not listed in
> testurls for testsrv1.
> 
>>
>> Secondly, the log line you pointed out was for peek operation. URL (for
>> url_regex ACLs to match) is not known or available until bumping
>> (specifically the full "bump" action) has been completed.
>>
> but the "allow CONNECT" line, seems to make it skip the
> http_access deny all
> 
> at the bottom.. (and not parse the allows in between which should be the
> ones allowing certain websites on https as well..
> 
> do I need to change:
> ssl_bump bump all
> 
> to list every https site
> acl ok-httpsurls url_regex ^https://www.google.dk/$
> ssl_bump bump ok-httpsurls
> ssl_bump reject !ok-httpsurls
> 
> (so I an only use http_access for http intercept and must use ssl_bump
> for https urls) ?
> 
> 


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer



More information about the squid-users mailing list