[squid-users] Filering HTTPS URLs - A complete configuration
Paul Doignon
paul at doignon.fr
Tue Feb 5 14:33:09 UTC 2019
Hi,
I'm struggling a lot to configure Squid. To improve the security of my app in my AWS private subnet, I would like to build a HTTPS proxy to whitelist *only* some URLs.
My wish is to *not* rely on SNI filtering but bump HTTPS traffic in order to filter the URLs (path) of HTTPS requests. I know that means to install a custom CA.
The thing is... I have a hard compiling a working configuration file for Squid 3.5, most examples are outdated or incomplete.
My current config is :
# ---
# General
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 1 seconds
visible_hostname squid
# Hide some reavealing or useless headers
forwarded_for delete
httpd_suppress_version_string off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
via off
# Tuning
max_filedesc 10000
# Disable access to manager
http_access deny manager
# Handling HTTPS requests
https_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE intercept
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
acl SSL_port port 443
http_access allow SSL_port
# Whitelist
acl whitelist-regex url_regex -i thirdparty.com/upload/stuff/
acl whitelist-regex url_regex -i otherthirdparty.com/specific-path/
http_access allow whitelist-regex
# SSL bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump whitelist-regex
ssl_bump terminate step2 !whitelist-regex
# Deny the rest
http_access deny all
# ---
What I am missing ? Should I use squid 4 for this ?
Thanks a lot in advance !
More information about the squid-users
mailing list