[squid-users] SSL Bump for regex URL comparison
Joe Foster
joe.e.foster at googlemail.com
Wed Nov 15 13:32:15 UTC 2017
Good afternoon,
I have a small router onto which I have installed Squid.
I am trying to filter HTTPS urls for bad words on a blocked list.
It will require the client on the safe side of the router to install the
certificate, this isn't an issue as it's an open process and not an
illigal MITM attack.
Below is my squid.conf
As you will see I have been playing around with where to put the code
and what code to put in.
I only have a small amount of flash drive so I have put the auto-gen
cert directory in /tmp/. I am aware this is volatile memory but until I
have a better solution I will be doing this.
I have put a firewall rule in to forward 443 to 3128.
https://wiki.squid-cache.org/Features/SslBump
https://wiki.squid-cache.org/SquidFaq/SquidAcl
I also don't want to cache due to flash drive issues. Is this possible?
Its the same cert in /root/ and /certs/ before anyone points it out.
Nothing has been appearing in the log files either but this is no
surprise.
Been up till 1am last few nights on this so you assistance is very
appreciated.
Thank you very much,
Joe
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1025-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl connect method connect
#acl safe_ports port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem
http_access deny !safe_ports
http_access deny connect !ssl_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
#http_port 3128 intercept
acl BadWords url_regex "/etc/badwords"
http_access deny Badwords
cache deny all
#ssl_bump bump all
#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem
http_access deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
access_log /squid.log
cache_log /squid1.log
cache_store_log stdio:/squid2.log
logfile_rotate 0
logfile_daemon /dev/null
#http_port 3128 intercept
#cache deny all
#ssl_bump bump all
#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem
More information about the squid-users
mailing list