[squid-users] 3.5.8 intercept Whitelist http&https
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 15 09:24:24 UTC 2015
On 15/10/2015 7:25 p.m., Бараблин Дмитрий wrote:
> Hello all!
>
> im trying to configure squid 3.5.8 as intercept with Whitelist ACLs on
> HTTP and HTTPS.
>
> what my config:
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl whitelist dstdom_regex -i "/etc/squid/whitelist"
<snip>
> acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl"
> http_port 10.0.0.185:3128 intercept
> http_port 10.0.0.185:3130
> https_port 10.0.0.185:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/squidCA.pem
> always_direct allow all
You can remove the always_direct line. It was a temporary hack for bugs
in squid-3.1. It does nothing useful in your config.
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> cl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist_ssl
> ssl_bump peek whitelist_ssl
> ssl_bump terminate all
>
Configuring peeking to happen *after* splicing does not make any sense.
The "peek whitelist_ssl" will never happen.
>
> this config nice work with HTTPS sites, but not filtered http.
"fitered http"? you don't have anything configured that could even
remotely be called that.
> When im
> added "http_access allow localnet whitelist", which stop at all sites.
>
> whitelist&whitelist_ssl - both file have some contents aka
>
> \.google-analytics\.com
> \.googleapis\.com
> \.google\.com
> \.googleusercontent\.com
> \.gstatic\.com
>
> please tell me what I'm doing wrong!
>
At a guess I believe you are expecting ssl-bump operations to happen on
the port 3128 or 3130 traffics CONNECT requests. But you have not
configured it to be done on those ports.
Amos
More information about the squid-users
mailing list