[squid-users] [EXTERNAL] Re: Ubuntu 18 with Squid 4.11 SSL_BUMP
Anthony Mead
ANTHONY_MEAD at progressive.com
Wed Apr 29 20:15:09 UTC 2020
Thanks! I've re-compiled without the unnecessary flag, and restarted the service with a new whitelist, unfortunately i'm getting such a varying of /var/log/squid/access.log messages that I'm not sure what to google anymore.
I want to deny all access to external sites except http/https github.com but some sites seem to connect, while others don't:
~$ # this is correct
~$ curl http://github.com/
10.0.1.180 TCP_MISS/301 200 GET http://github.com/
~$ # this is correct
~$ curl https://github.com/
10.0.1.180 TCP_TUNNEL/200 107323 CONNECT 140.82.114.4:443
~$ # this should deny
~$ curl https://youtube.com/
10.0.1.180 TCP_TUNNEL/200 4844 CONNECT 172.217.15.110:443
~$ # this should deny
~$ curl https://google.com/
10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.2.110:443
~$ # this is denying - but not from squid, but openssl?
~$ curl https://news.ycombinator.com/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443
10.0.1.180 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443
On 4/29/20, 2:59 PM, "squid-users on behalf of Amos Jeffries" <squid-users-bounces at lists.squid-cache.org on behalf of squid3 at treenet.co.nz> wrote:
On 30/04/20 4:10 am, AMead wrote:
> 1. Compiled Squid 4.11 on Ubuntu 18 T3 EC2 instance:
>
> ./configure \
...
> --with-openssl \
> --enable-ssl \
"--enable-ssl" is not a Squid build option.
> --enable-ssl-crtd
>
>
> 2. Initialized the ssl database:
>
> sudo /usr/libexec/squid/security_file_certgen -c -s /var/cache/squid/ssl_db
> -M 4MB
>
>
> 3. I've tried to read through a few similar posts, and got something
> reasonably working for the allowance, but now it's appearing to allow
> everything:
>
>> /etc/squid/whitelist.txt
> *.github.com
>
This is not dstdomain syntax. Remove the "*" character.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list