[squid-users] ssl_crtd breaks after short time
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 9 13:06:12 UTC 2015
On 9/06/2015 6:44 p.m., Klavs Klavsen wrote:
> Hi,
>
> James Lay just replied to me with his current config.. (pretty much like
> what he posted), and it seems he does not even try to use http_access
> rules to filter on urls from https requests..
>
> @Amos: are you certain that there's not an error in how http_access
> rules are applied to bumped connections?
As far as I know its working as designed.
You can enable "debug_options 28,5" to see what access controls are
being run.
>
> What I noted was:
>
> Instead of having:
> http_access allow CONNECT bumpedPorts
... which matches only the pre-bumping CONNECT requests.
>
> he has:
> http_access allow SSL_ports
... which matches anything going to port 443 etc. *bumped or not.*
>
> which somehow seems to work instead.
The "working" config when applied to HTTPS requests is equivalent to:
http_access deny CONNECT !SSL_Bump
http_access allow all
>
> He only uses http_access allow rules for http sites..
Yes, read that back to yourself.
> he filters https
> on domain only - using:
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump bump allowed_https_sites
> ssl_bump terminate !allowed_https_sites
>
> in my access log - using james lay's format - squid only logs CONNECT..
> so it seems its not registering the step AFTER CONNECT as something
> seperate - which would explain why its not applying http_access
> filtering to it ?
The HTTP message log (access.log) is only logging the HTTP(S) messages.
The non-HTTP protools are not logged.
>
> 10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
> 64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
> TCP_TUNNEL:ORIGINAL_DST peek
This got peeked then spliced (not decrypted). There is no decrypted
message(s) to be logged or even to pass through http_access.
Amos
More information about the squid-users
mailing list