[squid-users] bypassing the domains

udhayakumar udhayakumar at fatpipeinc.com
Wed Feb 5 10:54:09 UTC 2025 

Hi everyone ,

	if i put whitelist_regex in below config which domains i was try browse in browser it's says*SSL_ERROR_RX_RECORD_TOO_LONG*

Thanks,
Udhayakumar.

On 2/5/25 4:17 PM, udhayakumar wrote:
> Hi everyone,
>
> 		i have facing the small issue i Need to bypass the some domains like bank and  general domains google and yahoo like search engine. currently i  was doing doing ssl bump  all the sites how to bypass the domains or without decrypt the
> connection how to create connection between server and client. below is my config
>
> =================================================================
>
> http_port 3128
> http_port 3129 tproxy
> https_port 3127 tproxy ssl-bump cert=/etc/squid_av/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:RC4:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=ALL:NO_SSLv3
>
> #don't verifying peer & allow accept with validate and error
> #tls_outgoing_options flags=DONT_VERIFY_PEER
> tls_outgoing_options flags=DONT_VERIFY_DOMAIN
> tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> icp_port 0
> digest_generation off
> error_default_language en
> #logformat icap_squid %tl %>a %>p %<A %la %lp %<la %<lp %tr %dt
> #icap_log /var/log/squid/access.log
> #logformat customlog (%tl) source_ip=%>a src_port=%>p user=%ui [%tl] "%rm %ru HTTP/%rv" status=%>Hs size=%<st user_agent="%{User-Agent}>h"
>
>
> cache_log /var/log/squid/cache.log
> cache_store_log none
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable off
>
> log_icp_queries off
> logfile_rotate 1
> # squid worker config optmize based on processor
> workers 16
> cpu_affinity_map process_numbers=1,2, cores=1,3
> # certificate mimic
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB -b 2048
> logfile_rotate 2
> debug_options rotate=2
> #proxy options
> hosts_file /etc/hosts
> fqdncache_size 6000
> visible_hostname fatpipe_proxy
> collapsed_forwarding on
> forwarded_for transparent
> via on
> httpd_suppress_version_string on
> uri_whitespace strip
> shutdown_lifetime 3 seconds
> url_rewrite_host_header on
> #loggiing strop
> strip_query_terms on
> #cache option Amount RAM half
> cache_mem 8096 MB
> memory_cache_mode always
> maximum_object_size_in_memory 256 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> minimum_object_size 0 KB
> maximum_object_size 4 MB
> #cache allocation disk store block by block it's helps disk i/o
> cache_dir rock /var/spool/rockfs/squid_cache 20000 max-size=32768 max-swap-rate=250 swap-timeout=200
> max_stale 1 week
> on_unsupported_protocol tunnel
>
> offline_mode off
> #cache low and high mark
> cache_swap_low 90
> cache_swap_high 96
> cache allow all
>
> #pipelining for HTTP pipelining
> pipeline_prefetch 6
> acl SSL_ports port 443          #https
> acl SSL_ports port 563          #https
>
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
>
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
>
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> #new tweak
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
> acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
> acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
> acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
> acl localnet src fc00::/7               # RFC 4193 local private network range
> acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
> acl allsrc src all
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> cl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomainwww.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomainwww.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> #skip lan subnet
> #acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> #sslproxy_cert_error allow localnet DomainMismatch
> #sslproxy_cert_error deny all
>
> # Define a list of websites to skip the proxy
> #acl sslwhitelist ssl::server_name_regex -i "/etc/squid_av/whitelist_regex.acl"
> #acl allowed_sites ssl::server_name "/etc/squid_av/whitelist.acl"
> #acl local-external dstdomain .google.com .icicibank.com
> #always_direct allow local-external
> #acl allowed_sites ssl::server_name .foo.com .hdfcbank.com .copilot.microsoft.com
> #sslproxy_cert_error allow allowed_sites
> host_verify_strict off
>
> ssl_bump peek step1
> #ssl_bump splice sslwhitelist
> #ssl_bump splice allowed_sites
> ssl_bump bump all
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access allow purge localhost
> http_access deny purge
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localnet
> http_access allow localhost
> #request header config
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> request_body_max_size 0 KB
> #delay_pools config
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> # Throttle extensions matched in the url
> #acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
> #delay_access 1 allow throttle_exts
> #delay_access 1 deny allsrc
>
> # Set YouTube safesearch restriction
> #acl youtubedst dstdomain -nwww.youtube.com  m.youtube.com youtubei.googleapis.com youtube.googleapis.comwww.youtube-nocookie.com
> #request_header_access YouTube-Restrict deny all
> #request_header_add YouTube-Restrict moderate youtubedst
> ssl_bump peek step1
> ssl_bump bump all
> # Allow local network(s) on interface(s)
> http_access allow localnet
>
> # Default block all to be sure
> http_access deny allsrc
>
>
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
>
>
> icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on
> adaptation_access service_avi_req allow all
> icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=off
> adaptation_access service_avi_resp allow all
>
> #debug_options ALL,1
> sslproxy_cert_error allow all
> negative_ttl 0 seconds
> negative_dns_ttl 1 second
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/log/dump/squid
>
>
> /udhayakumar.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250205/d821ddff/attachment.htm>

More information about the squid-users mailing list