[squid-users] ssl_crtd breaks after short time

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 9 13:06:12 UTC 2015


On 9/06/2015 6:44 p.m., Klavs Klavsen wrote:
> Hi,
> 
> James Lay just replied to me with his current config.. (pretty much like
> what he posted), and it seems he does not even try to use http_access
> rules to filter on urls from https requests..
> 
> @Amos: are you certain that there's not an error in how http_access
> rules are applied to bumped connections?

As far as I know its working as designed.

You can enable "debug_options 28,5" to see what access controls are
being run.


> 
> What I noted was:
> 
> Instead of having:
> http_access allow CONNECT bumpedPorts

... which matches only the pre-bumping CONNECT requests.

> 
> he has:
> http_access allow SSL_ports

... which matches anything going to port 443 etc. *bumped or not.*

> 
> which somehow seems to work instead.

The "working" config when applied to HTTPS requests is equivalent to:

  http_access deny CONNECT !SSL_Bump
  http_access allow all


> 
> He only uses http_access allow rules for http sites..

Yes, read that back to yourself.


> he filters https
> on domain only - using:
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump bump allowed_https_sites
> ssl_bump terminate !allowed_https_sites
> 
> in my access log - using james lay's format - squid only logs CONNECT..
> so it seems its not registering the step AFTER CONNECT as something
> seperate - which would explain why its not applying http_access
> filtering to it ?

The HTTP message log (access.log) is only logging the HTTP(S) messages.
The non-HTTP protools are not logged.

> 
> 10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
> 64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
> TCP_TUNNEL:ORIGINAL_DST peek

This got peeked then spliced (not decrypted). There is no decrypted
message(s) to be logged or even to pass through http_access.

Amos


More information about the squid-users mailing list