[squid-users] Filtering HTTPS URLs
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 11 08:59:41 UTC 2016
On 11/02/2016 1:05 p.m., Victor Hugo wrote:
> Hi,
>
> I was wondering if it is possible to filter HTTPS URLs using squid (for
> example to blacklist reddit.com but allow https://www.reddit.com/r/news/)?
>
> I thought this may be possible using ssl_bump and url_regex. I have been
> trying this using squid 3.5.13 but with no success.
>
> Here is the squid configuration that I have tried but doesn't seem to work
> (it works for http sites though):
>
<snip>
>
> acl whitelist-regex url_regex -i reddit.com/r/news
> http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> acl bump_sites ssl::server_name .reddit.com
> ssl_bump bump bump_sites
> ssl_bump splice !bump_sites
> http_access allow whitelist-regex
> http_access allow localhost
> http_access deny all
> Relevant access.log output (IP addresses redacted to x.x.x.x):
> 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 -
> HIER_NONE/- -
So this is the bump happening, as you wanted.
> 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET
> https://www.reddit.com/r/news - HIER_NONE/- text/html
And something else has 403 (Forbidden) the request. Your ACL and
http_access config looks fine. So I dont think its that.
The first oddity is that your ssl_bump rules are doing bump without
having fetched the clientHello details yet. So this is a "client-first"
bumping situation in which Squid first negotiates TLS / HTTPS with the
client, then completely separately negotiates TLS/HTTPS with the server.
- any errors in the server TLS might result in something like this 403
(though it should be a 5xx status, it may not always be).
- the sslproxy_* settings are entirely what controls the server
connection TLS.
Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT
actions. This could be a logging bug, or a sign of something going wrong
in the bumping stage that alters the CONNECT logging as well.
Are you able to experiment with using the Squid-4.0.5 release? there are
some bumping bug fixes that are only in that release series.
Amos
More information about the squid-users
mailing list