[squid-users] acl whitelist ssl::server_name not working

John Lowry jlowry at gmail.com
Thu Nov 14 17:29:07 UTC 2019


Thanks to Alex Rousskov's excellent explanation in
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-configure-squid-4-6-to-splice-without-bumping-td4688482.html,
I have been able to set up Squid as a transparent proxy that splices
HTTPS connections.

I want to set up a whitelist. First, I tried to configure SquidGuard
but I couldn't find a way to pass the servername to SquidGuard when
connections were spliced.

So now I'm trying to use ACLs to whitelist by hostname.

acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested

But I can't get it to work.The logs appeared to indicate that URLs in
the whitelist were first denied then bumped:

14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
104.17.67.73:443 - HIER_NONE/- - www.headroyce.org
14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org

I think that the ACLs are trying to match a spliced connection against
the IP address rather than SNI server name.

Any idea what I'm doing wrong here?

I'd also like to present a good error message if the outcome is
denied, and never bump connections.

My config is:

acl CONNECT method CONNECT
acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested
http_access allow whitelist
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access deny all
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump
tls-cert=/etc/squid/ssl_cert/myCA.pem
tls-key=/etc/squid/ssl_cert/myCA.pem
ssl_bump peek all
ssl_bump splice all
logformat sslbump     %tl %>a %Ss/%03<Hs %<st %rm %>ru %[un %Sh/%<a
%mt %ssl::>sni
access_log daemon:/var/log/squid/access.log sslbump
debug_options ALL,3 28,9


More information about the squid-users mailing list