[squid-users] no ssl intercept - question how it works

robert k Wild robertkwild at gmail.com
Tue Aug 10 16:56:24 UTC 2021 

hi all,

before i continue, so sorry for the stupid question but trying to learn

basically heres my squid.conf

#NO SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name
"/usr/local/squid/etc/nointerceptssl.txt"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"

#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"

http_reply_access allow special_url
http_reply_access deny mimetype
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"

#HTTP_HTTPS whitelist websites regex
acl whitelistreg ssl::server_name_regex
"/usr/local/squid/etc/urlregwhite.txt"

http_access allow activation whitelist
http_access allow activation whitelistreg
http_access deny all

in my urlwhitelist is this

#apple app store
.p18-buy.itunes.apple.com
.gsas.apple.com
.se-edge.itunes.apple.com
.ocsp2.apple.com
.gsa.apple.com
.osxapps.itunes.apple.com
.xp.apple.com
.search.itunes.apple.com
.apptrailers-ssl.itunes.apple.com
.apptrailers.itunes.apple.com
.configuration.apple.com
.amp-api.apps.apple.com
.buy.itunes.apple.com
.api-edge.apps.apple.com
.play.itunes.apple.com
.s.mzstatic.com
.sf-api-token-service.itunes.apple.com
.apps.mzstatic.com
.init.itunes.apple.com
.bag.itunes.apple.com

in my nointerceptssl is this

#apple app store
.bag.itunes.apple.com
.apps.mzstatic.com
.play.itunes.apple.com
.api-edge.apps.apple.com
.amp-api.apps.apple.com
.xp.apple.com
.p18-buy.itunes.apple.com

i got all the urls etc looking at tail -f access.log and greping the ip and
tcp denied

but when i try to load the apple app store the whitelist isnt enough, i
need to add a couple of urls to the nointerceptssl

i got that list by doing the same method ie  looking at tail -f access.log
and greping the ip but as ive already whitelisted the urls they all came
back as none or ok instead of saying tcp denied

my question is why do i need to add some urls to the nointerceptssl and why
isnt it enough just to add it to urlwhite list

rob

-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210810/a7539bb9/attachment.htm>

More information about the squid-users mailing list