[squid-users] Squid 3.5.10 SSL Bump whitelist domains

Yuri Voinov yvoinov at gmail.com
Wed Oct 21 20:32:21 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Show piece of

allowed_domains

file.

22.10.15 2:29, luizcasey at gmail.com пишет:
> Could you suggest a configuration that you think should be working ? I would like both
HTTP/HTTPS domains whitelisted via file all other domains blocked. What
am I missing ? My assumption here is the acl nobumpSites
ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” part
is not working for https but does work for http.
>
> #### LOG
> 21/Oct/2015:16:24:45 -0400.062     28 X.X.X.X TCP_MISS/200 907 HEAD
http://www.cnn.com/ - ORIGINAL_DST/23.235.39.73 text/html
> 21/Oct/2015:16:25:12 -0400.515      0 X.X.X.X TAG_NONE/403 350 HEAD
https://www.facebook.com/ - HIER_NONE/- text/html
>
> #### etc/squid/git_allowed_domains/allowed_domains"
> .facebook.com
> .cnn.com
>
> #### Squid.con
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> sslcrtd_children 50
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
> http_port 3401 intercept
>
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
> access_log /var/log/squid/access.log squid
>
> cache deny all
>
> acl step1 at_step SslBump1
> acl nobumpSites ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains”
> # I even tried the follow just for https test and it still failed
> # acl nobumpSites ssl::server_name  .facebook.com
> # 21/Oct/2015:16:27:45 -0400.733      0 10.159.3.194 TAG_NONE/403 350
HEAD https://www.facebook.com/ - HIER_NONE/- text/html
>
> ssl_bump peek step1 all
> ssl_bump splice nobumpSites
> ssl_bump bump
>
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl port_443 port 443
>
> http_access allow http port_80 nobumpSites
> http_access allow https port_443 nobumpSites
>
> http_access deny all
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ/ZVAAoJENNXIZxhPexGI/8H/0vLr5F4ejnNmJ55oUeGb2wv
YIs/gIW73DEdcTidPYSPWnfz25VQ5rStfejrkWWoPDdHTQNwUWi8vd45TptxFXtK
3r6xnL9+f+2JLMXjrRB8buQW7i3B8xmvWHniMzMh9EWwicGJIPRzowz8ijaIyoYx
ZpEh00NBLlHBJhu9EP81TVJauwqexbeRjjOmR8VLp7rEoeuWYXvR7D7Pcs5eNrKT
XnzwNKI6ZWRYSq9rfRObMRL5EIkbXqAcvh6+2KaYYUFVy87zm5bojrJqgbM6NGXS
7AwydX4ef5jRsvmt9lgYZJ/fjdggRxUsN+EvdccvhYQrD/6Coec/H1L84MKLfqY=
=2y9A
-----END PGP SIGNATURE-----



More information about the squid-users mailing list