[squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

luizcasey at gmail.com luizcasey at gmail.com
Wed Oct 21 18:31:28 UTC 2015


Hello, 
So what I am trying to accomplish here is to basically have a whitelist of domains that is allowed via http/https. If the UID is squid,apache, or root then basically you will bypass squid and anything is allowed. This was working well on 3.4.2 however once I moved to 3.5.10 it no longer works properly. I also noticed that there are “new” features peek,slice etc which is probably my issue since I was not using it. I have tried several combination and have only gotten it to work for http traffic. All https traffic is currently being blocked by the configuration. Below are my configurations.  I don’t need to "inspect" any of the traffic just want to have a whitelist of allowed domains if you are not UID squid,apache, or root via http/https. Any help would be appreciated !!


##### IPTABLES
$iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match squid
natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match apache
natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match root
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3401
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 4827

Chain natoutlogaccept (3 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level debug prefix `nat out iptables accept '
ACCEPT     all  --  anywhere             anywhere


##### Squid.conf

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50

https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt key=/etc/squid/certs/squid.key
# HTTPS forward port
https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key

http_port 3401 transparent
# HTTP forward port
http_port 127.0.0.1:6886

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid

always_direct allow all
cache deny all
cache_dir ufs /home/squid/cache 100 16 256

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/allowed_domains/allowed_domains"

ssl_bump peek step1 all
ssl_bump splice nobumpSites
ssl_bump bump

acl http proto http
acl https proto https

acl port_80 port 80
acl port_443 port 443

http_access allow http port_80 nobumpSites
http_access allow https port_443 nobumpSites

http_access deny all

##### allowed_domains
.cnn.com <http://cnn.com/>
.google.com <http://google.com/>
.facebook.com <http://facebook.com/>
….etc 

#### squid log
TAG_NONE/403 350 HEAD https://www.facebook.com/ <https://www.facebook.com/> - HIER_NONE/- text/html
TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151021/5153d446/attachment.html>


More information about the squid-users mailing list