[squid-users] ssl_crtd breaks after short time
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 4 22:33:39 UTC 2015
On 5/06/2015 2:50 a.m., Klavs Klavsen wrote:
> Amos Jeffries wrote on 06/04/2015 04:19 PM:
>> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote:
>>> after moving it here:
>>>
>>> http_access allow okweb-urls testsrv1
>>> http_access allow CONNECT bumpedPorts
>>> http_access deny all
>>>
>>> it still allows everything..
>>
>> Sigh. Sorry I must be half aslep right now.
>>
>> Your rules say:
>>
>> allow ...
>> allow ...
>> allow ...
>>
>> So why would anything be denied?
>>
>
> last line says: deny all
>
> and it works for http urls.. it denies the websites not listed in
> testurls for testsrv1.
Okay. Those *are* the decrypted messages.
What you just said there tels me that your ACLs are working correctly.
Picture me confused. :-O
>
>>
>> Secondly, the log line you pointed out was for peek operation. URL (for
>> url_regex ACLs to match) is not known or available until bumping
>> (specifically the full "bump" action) has been completed.
>>
> but the "allow CONNECT" line, seems to make it skip the
> http_access deny all
>
> at the bottom.. (and not parse the allows in between which should be the
> ones allowing certain websites on https as well..
>
> do I need to change:
> ssl_bump bump all
>
> to list every https site
> acl ok-httpsurls url_regex ^https://www.google.dk/$
> ssl_bump bump ok-httpsurls
> ssl_bump reject !ok-httpsurls
Er, yes. The scheme is assumed to be https:// due to TLS existence, the
domain is given in SNI. But the URL path is still private/encrypted.
So the URL will never match any pattern with path component, and is
unlikely to even attempt matching in current Squid.
>
> (so I an only use http_access for http intercept and must use ssl_bump
> for https urls) ?
>
https:// URL requests will be passed by http_access like any other
traffic, but with the caveat that it happens only after the connection
has already been/being decrypted. AKA *after* "ssl_bump bump ..." has
been matched.
Amos
More information about the squid-users
mailing list