[squid-users] Questions about Squid configuration
にば
taku0919.taku at gmail.com
Wed Sep 25 05:57:11 UTC 2024
Dear Alex.
Thank you for your advice!
>Do you run these "curl" commands on the same box that runs Squid?
No, we have a Squid validation environment on an AWS EC2 instance,
and the instance for Squid and the instance for running curl commands
are separate.
>However, you may want to double check whether rejecting requests with an
>empty Host header is actually necessary in your environment. Perhaps
>they can be considered valid (which is what Squid does by default)?
Thank you.
Indeed we do not want to explicitly reject empty Host headers, we just
want to reject malformed requests.
Therefore, we will not add an explicit rejection setting.
>I recommend deleting the above http_access rule. AFAICT, you only want
>to allow valid requests targeting specific/allowed sites. You already
>have other rules for that. The above "all HTTPS" rule is too broad and
>is seemingly unnecessary.
>I also recommend deleting a similar rule that allows all port-80
>requests, for similar reasons:
> acl http_port port 80
> http_access allow http_port
>If you think you do need those two broad rules, please clarify what you
>think you need them for. In other words, what tests would break if you
>remove them?
I did not need these rules, so I removed them and verified STEP 2
again and everything passed!
Thank you so much for your help!!
We then added the following settings that were in the existing Squid proxy
*The entire configuration is attached to this email.
# SSL_BUMP
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist"
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent"
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https"
acl allowed_https_sites ssl::server_name
"/etc/squid/whitelist_transparent_https"
sslcrtd_program [sslcrtd-program-setting]
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
Then I verified the 4 patterns again and all of them gave me 403 Forbidden...
Even the following pattern which is allowed in whitelist.
> 1. successful communication of a valid request to an allowed site
> [command]
> curl https://pypi.org/ -v --cacert squid.crt -k
After checking access-transparent.log and cache.log, it appears that
pypi.org is comparing inspections by IP and not by domain.
How do I modify the configuration to allow this correctly by domain?
Also, to begin with, these settings follow the existing squid proxy
created by my predecessor, so I don't know what they are for...
What are the disadvantages of removing these settings?
Thank you in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-transparent.conf
Type: application/octet-stream
Size: 4468 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240925/9c7ef510/attachment.obj>
More information about the squid-users
mailing list