[squid-users] Conditional question

Amos Jeffries squid3 at treenet.co.nz
Sun May 31 23:55:41 UTC 2015


On 31/05/2015 10:24 a.m., James Lay wrote:
> On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote:
> 
>> On 31/05/2015 4:48 a.m., James Lay wrote:
>>> Per the docs:
>>>
>>> #  Conditional configuration
>>> #
>>> #       If-statements can be used to make configuration directives
>>> #       depend on conditions:
>>> #
>>> #           if <CONDITION>
>>> #               ... regular configuration directives ...
>>> #           [else
>>> #               ... regular configuration directives ...]
>>> #           endif
>>> #
>>> #       The else part is optional. The keywords "if", "else", and
>>> "endif"
>>> #       must be typed on their own lines, as if they were regular
>>> #       configuration directives.
>>> #
>>> #       NOTE: An else-if condition is not supported.
>>> #
>>> #       These individual conditions types are supported:
>>> #
>>> #           true
>>> #               Always evaluates to true.
>>> #           false
>>> #               Always evaluates to false.
>>> #           <integer> = <integer>
>>> #               Equality comparison of two integer numbers.
>>>
>>> Anyone have any examples, documentation, heck ANYTHING that can show how
>>> this works?  I can't seem to find a thing besides the above.
>>
>> Those are for process controls (SMP, named services, etc).
>>
>>>  My goal is
>>> something like the below:
>>>
>>> if port = 80
>>>     http_access deny all
>>> else
>>>     http_access allow all
>>> endif
>>>
>>> But nothing I'm trying as the condition expression is working.  Thank
>>> you.
>>
>> The default Squid configuration should "just work"...
>>
>>   http_access deny !Safe_ports
>>   http_access deny CONNECT !SSL_Ports
>>   ...
>>   # this one permits the CONNECT *:443 requests to get bumped
>>   http_access allow localnet
>>   ..
>>   http_access deny all
>>
>> If you are using any other access controls on your client traffic you
>> need to keep in mind that Squid is dealing with "CONNECT raw-IP:443 ..."
>> requests in http_access / adapted_http_access / url_rewrite_access /
>> adaptation_access / ssl_bump prior to bumping them.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> Hi again Amos,
> 
> So...my method of access control might be weird.  I have a regex list of
> sites that work fine via http (say \.acer\.com).  So, I allow access to
> this list via:
> 
> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt
> http_access allow allowed_http_sites
> http_access deny !allowed_http_sites

By using url_regex to match domain names you are preventing any chance
for Squid to perfom reverse-DNS lookup on the raw-IP CONNECT requests
and see if the rDNS site name matches an entry in your list.

If you made that ACL a dstdomain (which is the right type to be matching
domains with) you would see this rDNS behaviour and only have to add
domain entries for sites where the rDNS is different from the popular
domain names.

> 
> This works well for allowing access to the list of sites....the lack of
> http_access allow localnet makes this happen.  With the above however,
> ssl_bumping stops working as I get:
> 
> [16:18:22 jlay at powerbook:~/test$ wget
> --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
> https://www.msn.com
> DEBUG output created by Wget 1.16 on linux-gnu.
> 
> URI encoding = ‘UTF-8’
> --2015-05-30 16:19:46--  https://www.msn.com/
> Certificates loaded: 173
> Resolving www.msn.com (www.msn.com)... 204.79.197.203
> Caching www.msn.com => 204.79.197.203
> Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443...
> connected.
> Created socket 4.
> Releasing 0x10c3ef98 (new refcount 1).
> The certificate's owner does not match hostname ‘www.msn.com’
> 
> May 30 16:19:46 analysis squid: 192.168.1.73 - - [30/May/2015:16:19:46
> -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0
> TCP_DENIED:HIER_NONE peek
> 
> Adding http_access alllow localnet makes ssl_bumping work correctly, but
> then the http_access deny !allowed_http_sites does not work.  I'm having
> a hard time getting both http and https filtering to play well together
> with one instance of squid.  I'd like to try and just go with one, but
> if I have to I'll go with two.  Anyway thanks again for looking...I hope
> I'm explaining this well.

The above mentioned solution, OR as you found allowing all port 443
traffic through to at least the bumping stage will do it.

Amos


More information about the squid-users mailing list