[squid-users] squid-users Digest, Vol 58, Issue 31

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 1 06:28:33 UTC 2019


>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of squid-users digest..."
>>
>>
>> Today's Topics:
>>
>>  1. Re: Bypassing SSL Man In the Middle Filtering For Certain LAN
>>  IP's (Amos Jeffries)
>>


On 1/07/19 2:04 pm, Mike Golf wrote:
> I'm looking for help modifying the stock squid config file, within the
> GUI I can bypass the proxy completely (HTTP + HTTPS) for certain LAN
> IP's; however this will also stop them from accessing the cached HTTP
> data. I don't want this rather I want the IP addresses in the range of
> 192.168.1.2 - 192.168.1.200 to be excluded from HTTPS caching but
> still being able to access/cache with the HTTP proxy. I don't know how
> to modify the standard configuration files to allow this, PFSense will
> bypass(HTTP + HTTPS) any IP I add to "Bypass Proxy for These Source
> IPs".

>
> I'm running the HTTP proxy in transparent mode and I've included the
> current configuration I'm using for reference, could you walk me
> through how I would go about modifying the configuration file. I'm not
> to familiar with squid terminology so could you please explain it to
> me like I'm 5 (ELI5). I don't know how to structure the directives and
> ACL's to allow this since the GUI menu uses a a "blanket"
> configuration for whatever you input, I need help with specifying the
> custom options.
>
> # This file is automatically generated by pfSense
> # Do not edit manually !

Unfortunately I'm not familiar enough with the pfSense GUI to provide
simple instructions for how to use it.

That said ...

>
> http_port 192.168.1.1:3128
> http_port 127.0.0.1:3128 intercept


... there is no https_port here to receive HTTPS or TLS/SSL traffic.

Which means the HTTPS traffic is cannot be cached by this proxy. You
should not have to do anything - what you are asking for is the existing
behaviour of the config file you showed.

Are you seeing https:// URLs in your access.log file? If not, then don't
worry.
 If you are, then that client is an HTTP-only client requesting that
Squid handle the HTTPS parts on its behalf.


Amos


More information about the squid-users mailing list