[squid-users] acl for redirect
Amos Jeffries
squid3 at treenet.co.nz
Fri Jun 26 05:29:56 UTC 2015
On 26/06/2015 2:36 a.m., Mike wrote:
> Amos, thanks for info.
>
> The primary settings being used in squid.conf:
>
> http_port 8080
> # this port is what will be used for SSL Proxy on client browser
> http_port 8081 intercept
>
> https_port 8082 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
> sslcrtd_children 50 startup=5 idle=1
> ssl_bump server-first all
> ssl_bump none localhost
>
>
> Then e2guardian uses 10101 for the browsers, and uses 8080 for
> connecting to squid on the same server.
Doesn;t matter. Due to TLS security requirements Squid ensures the TLS
connection in re-encrypted on outgoing.
I am doubtful eth nord works anymore since Googles own documentation for
schools states that one must install a MITM proxy that does the traffic
filtering - e2guardian is not one of those. IMO you should convert your
e2guardian config into Squid ACL rules that can be applied to the bumped
traffic without forcing http://
But if nord does work, so should the deny_info in Squid. Something like
this probably:
acl google dstdomain .google.com
deny_info 301:http://%H%R?nord=1 google
acl GwithQuery urlpath_regex ?
deny_info 301:http://%H%R&nord=1 GwithQuery
http_access deny google Gquery
http_access deny google
Amos
More information about the squid-users
mailing list