[squid-users] Filtering HTTPS URLs

Victor Hugo fourtrials at gmail.com
Mon May 9 00:31:39 UTC 2016


Wow that worked!

Thanks!

On Fri, May 6, 2016 at 5:00 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 6/05/2016 5:51 p.m., Victor Hugo wrote:
> > Here's a strange one for you though, if I change:
> > acl whitelist-regex url_regex -i reddit.com/r/news
> >
> > to:
> > acl whitelist-regex url_regex -i reddit\.com\/r\/news
> www\.reddit\.com\:443
> >
> > it works every 2nd time but the match is too greedy and allows
> > www.reddit.com/r/anything every 2nd time.
> >
>
> That first regex pattern requires a path "/r/news" to exist. CONNECT
> messages do not have paths.
>
> That second pattern you are now adding matches (and thus allows) the
> CONNECT message authority-URI built from the traffic SNI details.
>
> They are two different regex patterns so if *either one* matches the ACL
> test will be a match.
>
>
> Try adding this line *after* the default "deny CONNECT !SSL_ports" line:
>  acl reddit dstdomain .reddit.com
>  http_access allow CONNECT SSL_ports reddit
>
> That should allow the CONNECT's stuff to happen and your ssl_bump and
> http_access rules then handle the HTTPS.
>
>
> Amos
>
>
> > Victor
> >
> > it
> >
> > On Thu, Feb 11, 2016 at 10:05 AM, Victor Hugo <fourtrials at gmail.com>
> wrote:
> >
> >> Hi,
> >>
> >> I was wondering if it is possible to filter HTTPS URLs using squid (for
> >> example to blacklist reddit.com but allow
> https://www.reddit.com/r/news/)?
> >>
> >> I thought this may be possible using ssl_bump and url_regex. I have been
> >> trying this using squid 3.5.13 but with no success.
> >>
> >> Here is the squid configuration that I have tried but doesn't seem to
> work
> >> (it works for http sites though):
> >>
> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> >> acl localnet src fc00::/7       # RFC 4193 local private network range
> >> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> >> machines
> >>
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80 # http
> >> acl Safe_ports port 21 # ftp
> >> acl Safe_ports port 443 # https
> >> acl Safe_ports port 70 # gopher
> >> acl Safe_ports port 210 # wais
> >> acl Safe_ports port 1025-65535 # unregistered ports
> >> acl Safe_ports port 280 # http-mgmt
> >> acl Safe_ports port 488 # gss-http
> >> acl Safe_ports port 591 # filemaker
> >> acl Safe_ports port 777 # multiling http
> >> acl CONNECT method CONNECT
> >>
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access allow localhost manager
> >> http_access deny manager
> >>
> >> acl whitelist-regex url_regex -i reddit.com/r/news
> >> http_port 3129 ssl-bump
> >> cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
> >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >> acl bump_sites ssl::server_name .reddit.com
> >> ssl_bump bump bump_sites
> >> ssl_bump splice !bump_sites
> >> http_access allow whitelist-regex
> >> http_access allow localhost
> >> http_access deny all
> >> coredump_dir /opt/squid-3.5.13/var/spool/squid3
> >> refresh_pattern ^ftp: 1440 20% 10080
> >> refresh_pattern ^gopher: 1440 0% 1440
> >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> >> refresh_pattern . 0 20% 4320
> >> pinger_enable off
> >> Relevant access.log output (IP addresses redacted to x.x.x.x):
> >> 1455145755.589      0 x.x.x.x TCP_DENIED/200 0 CONNECT
> www.reddit.com:443
> >> - HIER_NONE/- -
> >> 1455145755.669      0 x.x.x.x TAG_NONE/403 4011 GET
> >> https://www.reddit.com/r/news - HIER_NONE/- text/html
> >> 1455145755.782      0 x.x.x.x TCP_DENIED/200 0 CONNECT
> www.reddit.com:443
> >> - HIER_NONE/- -
> >>
> >> I don't want to whitelist the dstdomain .reddit.com
> >> (i.e whitelist-ssldomain dstdomain .reddit.com) as that would allow
> >> access to all of the other subreddits.
> >>
> >> Appreciate any help or suggestions you have. Thanks.
> >>
> >> Victor
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160509/78b49591/attachment.html>


More information about the squid-users mailing list