[squid-users] Squid Version 3.5.20
Cherukuri, Naresh
ncherukuri at partycity.com
Tue Jun 27 15:46:05 UTC 2017
Hi,
Thank You for quick turnover, as per your request I changed squid config like below, still I going to www.google.com<http://www.google.com>
acl CONNECT method CONNECT
acl sslconnect dstdomain -i https://www.google.com
acl GoogleRecaptcha url_regex ^https://www.google.com/recaptcha/$
http_access allow CONNECT sslconnect
http_access allow backoffice_users GoogleRecaptcha
Thanks& Regards,
Naresh
From: Flashdown [mailto:flashdown at data-core.org]
Sent: Tuesday, June 27, 2017 11:37 AM
To: squid-users at lists.squid-cache.org; Cherukuri, Naresh; Eliezer Croitoru
Subject: Re: [squid-users] Squid Version 3.5.20
Well, I know that issue very good and google is the issue since they should put their captcha on a own subdomain. Then we could effectivley allow only the access to the captcha.
Until that there is no good way to achive this. But there is a non reliable way of blocking google.com<http://google.com>
First allow the Connect method for google.com<http://google.com>
Acl CONNECT method CONNECT
acl sslconnect dstdomain -i www.google.com<http://www.google.com>
http_access allow CONNECT sslconnect
Then use an url regex and allow google.com/recaptcha<http://google.com/recaptcha>
This way sometimes www.google.com<http://www.google.com> is blocked, sometimes not. But access to recaptcha will always work.
Why we can't block it reliable? Well when browser/client wants to connect to https website then the firsr thing the browser trie is open a ssl tunnel to the FQDN
As soon as the tunnel is up it will request the ressource. May it helps if you add a url regex deny between allowing the connect method and allowing the url www.google.com/recaptcha<http://www.google.com/recaptcha>
Written on my mobile..
Br,
Flashdown
Am 27. Juni 2017 17:07:19 MESZ schrieb "Cherukuri, Naresh" <ncherukuri at partycity.com<mailto:ncherukuri at partycity.com>>:
Hi Eliezer,
We successfully blocked gmail, google images, google drive and rest all google related. Now we allowing www.google.com<http://www.google.com> and www. google/Recaptcha. We still need to block www.google.com<http://www.google.com> and just allow www.google/recaptcha<http://www.google/recaptcha>. Is there a way to do that?
Appreciate your quick turnover!
Thanks&Regards,
Naresh
-----Original Message-----
From: Eliezer Croitoru [mailto:eliezer at ngtech.co.il]
Sent: Tuesday, June 27, 2017 10:16 AM
To: Cherukuri, Naresh; squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
Subject: RE: [squid-users] Squid Version 3.5.20
Hey,
I can try to help you but I do not have enough logs for it.
Also it's not so simple.
Basically you will need to block gmail and google drive themselves in one rule that will not include other google services.
All The Bests,
Eliezer
----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Cherukuri, Naresh
Sent: Friday, June 23, 2017 23:34
To: squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
Subject: [squid-users] Squid Version 3.5.20
Hello All,
I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA certificates, can you shed some light on how to "Configure regular expression of the Google ReCaptcha URL with ACL".
My requirement :
This requirement is to allow Google's ReCaptcha URL (HTTPS) so associates can successfully use ADP which now utilizes Google's ReCaptcha which is called via an HTTPS URL, without allowing users to access other Google-related services such as Gmail or Google Drive.
Any ideas much appreciated!
Thanks,
Naresh
________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170627/67d25b8e/attachment-0001.html>
More information about the squid-users
mailing list