[squid-users] acl whitelist ssl::server_name not working

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 14 23:07:41 UTC 2019


On 11/14/19 12:29 PM, John Lowry wrote:
> I have been able to set up Squid as a transparent proxy that splices
> HTTPS connections.

> now I'm trying to use ACLs to whitelist by hostname.
> 
> acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested


FWIW, I do not know whether the above syntax is supported. I recommend
starting with a single whitelisted name. For example:

  acl whitelist ssl::server_name --client-requested example.com

and then, if the above works, migrate to importing parameters from a
file (but start with one domain name in that file):

  acl whitelist ssl::server_name --client-requested
"/etc/squid/whitelist.txt"


> But I can't get it to work.The logs appeared to indicate that URLs in
> the whitelist were first denied then bumped:
> 
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
> 104.17.67.73:443 - HIER_NONE/- - www.headroyce.org
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
> https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org
> 
> I think that the ACLs are trying to match a spliced connection against
> the IP address rather than SNI server name.
> 
> Any idea what I'm doing wrong here?

If you only want to act based on SNI, then do not use an http_access
rule during step1 when SNI is not yet known. There may be several ways
to accomplish that. However, in most cases, you want to act ASAP,
regardless of whether the [sufficient] information came from the TCP
layer or the TLS layer. If that is your use case, then it is OK to apply
the http_access rule during step1 as well (assuming your ACL will simply
not match when there is not enough information yet).


> http_access allow whitelist

Even if the request is for an "unsafe" port? I doubt you want this rule
so high. See squid.conf.default for the recommended access controls order.


> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> include /etc/squid/conf.d/*
> http_access allow localhost
> http_access deny all

FYI: The last rule will deny access to non-localhost CONNECT requests
during step1 if they do not carry enough information to qualify for the
whitelist exception.

Keep in mind that http_access rules are evaluated several times during a
single master transaction. For details, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.


More information about the squid-users mailing list