[squid-users] Whitelist ONLY exception isn't working correctly

Martin Hanson greencoppermine at yandex.com
Mon May 14 00:15:08 UTC 2018 

>> This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong.
> 
> The comments on this config tell a story of some misunderstandings ...

Thank you for all the valuable feedback. I originally set this up years ago. I have updated the different options.

However, I am still faced with the same problem.

If I add a HTTP domain to the whitelist, then the whitelist works for the HTTP domains ONLY, but the domains in the list which are HTTPS based are still blocked.
 
I have also changed the "localnet" in order to avoid any "clashes" between the boxes, but that doesn't change anything.

This is my updated configuration:

Sitting on one of the "windows_boxes" and going to https://www.ubuntu.com/ gives: "Access Denied" from Squid.

<SNIP>
max_filedesc 4096

acl step1 at_step SslBump1
#acl localnet src 192.168.1.0/24
acl localnet src 192.168.1.2-192.168.1.200

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .ubuntu.com

# We don't want these to be cached.
store_miss deny whitelist

# Don't let SquidGuard do anything with the whitelisted domains.
url_rewrite_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# THIS ISN'T WORKING!!!
# https://www.ubuntu.com is blocked with "Access Denied" from Squid.
http_access allow windows_boxes whitelist

http_access allow localhost
http_access allow localnet

http_access deny all

# We'll intercept trafic using PF from clan.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

Thanks for all the help!

Kind regards.

More information about the squid-users mailing list