[squid-users] HTTPS and HTTP bypass authentication for certain sites

Alex Rousskov rousskov at measurement-factory.com
Thu May 28 17:19:58 UTC 2020


On 5/28/20 3:19 AM, Antonino Gianfranco Sanacori wrote:
> I have a 4.6 server Squid, i want to configure it for to permit the free
> access, with http and https,  to some ip address to my users.

> I have read that i can use ssl_bump splice acl, then i can configure in
> this way?

You do not need SslBump if you only need to block by the destination IP
address.


> acl list dstdomain "file.acl"

FYI: You said "to some ip address", but the dstdomain ACL is using
domain names. Squid can try to reverse-lookup destination IP addresses
(to match them to the provided domain names), but DNS reverse lookups
are often unreliable.

If you can indeed block by the destination IP address, then consider
using the "dst" ACL instead. The "dst" ACL may also require (forward)
DNS lookups, but they are often more reliable.


> https_access allow list

There is no https_access directive. HTTPS (and FTP) traffic uses the
(arguably misnamed) http_access directive.

Please note that the configuration snippet you posted does not cover the
"my users" part of your requirement summary. It also allows establishing
TCP tunnels to arbitrary ports (on the allowed destination addresses).
Most likely, you want neither.


HTH,

Alex.


> acl list dstdomain "file.acl"
> ssl_bump splice list
> http_access allow list
> https_access allow list 



More information about the squid-users mailing list