[squid-users] HTTPS site filtering

roadrage27 alex.tate at gmail.com
Fri Jan 20 18:30:36 UTC 2017


>I see no 'localnet' ACL use. If this proxy is supposed to be servicing
>LAN clients, that will be needed and the keepgoing and artwork ACLs
>probably not needed.

I am connecting on a LAN to it now with no issues and multiple testers on
the same subnet can also use it.  why would i add a directive if its
already working?

I uncommented out the other lines cant recall why i commented them but yeah
mistake there.

>Whats the idea behind this "keepgoing" ACL ?
Once i put that in with those domain it allowed them to connect as those
were domains needed for access via SSL
 >Is this proxy supposed to have reverse-proxy duties for them?
Nope, just a simple proxy that locks out the web unless the ACL allows it.

On Fri, Jan 20, 2017 at 12:00 PM Alex Tate <alex.tate at gmail.com> wrote:

> When I add the final deny all then no traffic traverses squid.  When I
> removed it then squid started passing traffic
>
> On Fri, Jan 20, 2017, 11:46 AM Amos Jeffries [via Squid Web Proxy Cache] <
> ml-node+s1019090n4681226h61 at n4.nabble.com> wrote:
>
> On 21/01/2017 5:52 a.m., roadrage27 wrote:
>
> > I was able to resolve my issue partially.  I burned down the server and
> > rebuilt it clean so all previous changes that were made attempting to
> make
> > SSL work were gone.  Once i reloaded squid and the config files i was
> able
> > to allow SSL traffic using the dstdomain acl type.  I currently have a
> few
> > URLS that are regex type that need to be allowed so im currently
> cranking
> > out those.
> >
> > On Fri, Jan 20, 2017 at 8:36 AM roadrage27 wrote:
> >
> >>> That tells me either you have screwed up the CONNECT ACL definition.
> Or
> >>> the SSL_ports one.
> >> Very possible as im pretty green on squid, my current conf file is
> below.
> >>  with that conf the SSL sites just sit and spin until the eventually
> time
> >> out.
> >>
> >> acl site_squid_art url_regex ^http://www.squid-cache.org/Artwork
> >> acl keepgoing dstdomain .plateau.com .skillwsa.com .successfactors.com
> >>
>
> Whats the idea behind this "keepgoing" ACL ?
>  Is this proxy supposed to have reverse-proxy duties for them?
>
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80 # http
> >> acl Safe_ports port 21 # ftp
> >> acl Safe_ports port 443 # https
> >> acl Safe_ports port 70 # gopher
> >> acl Safe_ports port 210 # wais
> >> acl Safe_ports port 1025-65535 # unregistered ports
> >> acl Safe_ports port 280 # http-mgmt
> >> acl Safe_ports port 488 # gss-http
> >> acl Safe_ports port 591 # filemaker
> >> acl Safe_ports port 777 # multiling http
> >> acl CONNECT method CONNECT
> >>
> >> http_access allow keepgoing
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> #http_access allow CONNECT SSL_ports
> >> http_access allow localhost manager
> >> http_access allow site_squid_art
> >> http_access allow localhost
> >>
>
> I see no 'localnet' ACL use. If this proxy is supposed to be servicing
> LAN clients, that will be needed and the keepgoing and artwork ACLs
> probably not needed.
>
> The final "http_access deny all" is missing as well. Squid is just doing
> that impicitly anyway. So its more needed to remind you of what is
> happening and prevent possible mistakes implicitly allowing lots of
> unexpected things through the proxy later.
>
>
> >>
> >> http_port 3132
> >>
> >>
> >> access_log /var/log/squid3/squid3132.log squid
> >>
> >> pid_filename /var/run/squid3132.pid
> >> coredump_dir /var/spool/squid3
> >>
> >> refresh_pattern ^ftp: 1440 20% 10080
> >> refresh_pattern ^gopher: 1440 0% 1440
> >> #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> FYI: The above commented out line is rather critical to the correct
> behaviour for dynamic web content.
>
> If the server is not producing the required cache controls dynamically
> changing data should not be allowed to store for one second, let alone
> the default 7 days.
>
> >> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> >> #refresh_pattern . 0 20% 4320
> >>
>
> Whats the point of commenting that out?
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681226&i=0>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-site-filtering-tp4681198p4681226.html
> To unsubscribe from HTTPS site filtering, click here
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681198&code=YWxleC50YXRlQGdtYWlsLmNvbXw0NjgxMTk4fDIwMjU4MDQxMw==>
> .
> NAML
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
>




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-site-filtering-tp4681198p4681228.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list