[squid-users] Ubuntu 18 with Squid 4.11 SSL_BUMP
AMead
anthony_mead at progressive.com
Wed Apr 29 16:10:35 UTC 2020
1. Compiled Squid 4.11 on Ubuntu 18 T3 EC2 instance:
./configure \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libdir=/usr/lib \
--libexecdir=/usr/libexec/squid \
--includedir=/usr/include \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--localstatedir=/var \
--sharedstatedir=/var/lib \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--with-default-user=squid \
--with-openssl \
--enable-ssl \
--enable-ssl-crtd
2. Initialized the ssl database:
sudo /usr/libexec/squid/security_file_certgen -c -s /var/cache/squid/ssl_db
-M 4MB
3. I've tried to read through a few similar posts, and got something
reasonably working for the allowance, but now it's appearing to allow
everything:
> /etc/squid/whitelist.txt
*.github.com
> /etc/squid/squid.conf
visible_hostname squid
cache deny all
# Handling HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites
# Handling HTTPS requests
acl SSL_port port 443
http_access allow SSL_port
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl/squid.pem \
# generate-host-certificates=on \ # Defaulted with 4.11
dynamic_cert_mem_cache_size=16MB
# HTTPS - Peek & Splice
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Alex R
# 10.0.1.93 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443 - HIER_NONE/- -
#
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-6-Transparent-HTTP-amp-HTTPS-Proxy-td4687578.html
#ssl_bump peek step1
#ssl_bump peek step2 allowed_https_sites
#ssl_bump terminate step2
#ssl_bump splice all
# Berger
# 10.0.1.93 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443 - HIER_NONE/- -
#
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-4-1-transparent-https-issue-quot-curl-60-SSL-certificate-problem-self-signed-certificate-in-ce-td4688553.html
#ssl_bump peek step1 all
#ssl_bump peek step2 allowed_https_sites
#ssl_bump splice step3 allowed_https_sites
#ssl_bump terminate
#dkanejs
# 10.0.1.93 TCP_TUNNEL/200 25082 CONNECT 185.199.111.153:443
# Allows https://example.com, https://github.com, but not
https://news.ycombinator.com
ssl_bump peek all
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all
http_access deny all
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list