[squid-users] make URL bypass squid proxy

robert k Wild robertkwild at gmail.com
Thu Jun 29 09:18:26 UTC 2023


very clever, so you bunch all the acls up

acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile

the key word is "any-of" ie if the url hits any one do that first

what about instead of making it

ssl::server_name_regex

i make it

*dstdom_regex*

On Thu, 29 Jun 2023 at 01:38, <ngtech1ltd at gmail.com> wrote:

> Hey Rob,
>
> The first thing is to allow the domain in the http_acces just to be sure
> and use a basic deny all bottom line.
> Let me try to simplify your squid.conf
> In a link:
> https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e
>
> In plain text:
> ## START OF FILE
> # SSL Interception  basic rules
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
> acl NoSSLInterceptRegExFile ssl::server_name_regex
> "/usr/local/squid/etc/no-intercept-ssl-regex.txt"
>
> acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
> acl NoSSLInterceptDstDomFile ssl::server_name
> "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"
>
> ## Any of will test what ever rule match first in a first match/hit fasion
> acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
> NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
>
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLInterceptAnyOf
> ssl_bump bump all
>
> #SSL Bump port
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
>
> ## http_access acls, will apply on incomming requests and not on responses
> acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
> acl special_url_regex_file url_regex
> "/usr/local/squid/etc/special_url_regex.txt"
>
> acl special_url_dst_dom dstdomain .redshift3d.com
> acl special_url_dst_dom_file dstdomain
> "/usr/local/squid/etc/special_url_dstdom.txt"
>
> acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file
> special_url_regex special_url_regex_file
>
> acl localnet src 192.168.0.0/16
> acl localnet src 10.0.0.0/8
>
> http_access allow localnet special_url_any_of
> http_access deny all
> ## END OF FILE
>
>  Once the above will work try to add other http_access rule like reply
> access rules
>
> Let me know what happens,
> Eliezer
>
> From: robert k Wild <robertkwild at gmail.com>
> Sent: Tuesday, June 27, 2023 09:36
> To: ngtech1ltd at gmail.com
> Cc: Squid Users <squid-users at lists.squid-cache.org>
> Subject: Re: [squid-users] make URL bypass squid proxy
>
> Hi Eliezer,
>
> this is a snippet of my whitelist and no intercept SSL config
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
> #
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #
> #deny up MIME types
> acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> #deny URL links
> acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
> #
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
> #
> #deny down MIME types
> acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> http_reply_access allow special_url
> http_reply_access deny downmime
> #http_access deny upmime
> #http_access deny url_links
> #
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
> #
> http_access allow activation whitelist
> http_access deny all
>
> so basically no SSL interception
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> and whitelisting
>
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
>
> in both txt files ie
>
> /usr/local/squid/etc/interceptssl.txt
> /usr/local/squid/etc/urlwhite.txt
>
> i have a URL that first i have to whitelist and then if i want squid not
> to inspect the url traffic i put it in the SSL interception (i do this as
> some websites dont like MITM )
>
> but even putting the URL in question in both files im still having issues
> with this website ie its still being detected that its passing through a
> proxy
>
> thanks,
> rob
>
> On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1ltd at gmail.com> wrote:
> Hey Robert,
>
> I am not sure what forward proxy setup you have there.
> A simple forward proxy?
> What tool are you using for whitelisting?
> You can use an external acl helper to allow dynamic updates of the
> whitelists or
> to periodic update your lists and reload.
> It will depend on the size of your lists.
> What OS are you using for your squid proxy?
>
> More details will help us help you.
>
> Eliezer
>
> From: squid-users <mailto:squid-users-bounces at lists.squid-cache.org> On
> Behalf Of robert k Wild
> Sent: Monday, June 26, 2023 22:25
> To: Squid Users <mailto:squid-users at lists.squid-cache.org>
> Subject: [squid-users] make URL bypass squid proxy
>
> hi all,
>
> i have set up squid for url whitelisting and no intercept SSL (see below)
>
> https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
>
> but some websites i want the client to bypass the squid proxy and go
> straight to the website as i think this is why a url isnt working even when
> i add the url to both files ie urlwhite and no intercept SSL
>
>
>
> thanks,
> rob
>
> --
> Regards,
>
> Robert K Wild.
>
>
> --
> Regards,
>
> Robert K Wild.
>
>

-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230629/2fb91e6c/attachment.htm>


More information about the squid-users mailing list