[squid-users] ssl-bump with url_regex
BOISIAUD Jean-Yves
jyboisiaud-ext at ecritel.net
Mon Feb 24 15:38:54 UTC 2025
Hello,
I am using Squid 5.7 on a Debian 12 system.
I would like to grant only some given URL path for a site using HTTPS.
For example, in the following configuration:
...
http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
cert=/etc/squid/certs/signingCA.crt \
key=/etc/squid/certs/signingCA.key \
tls-cafile=/etc/squid/certs/chain.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=20MB \
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
options=NO_TLSv1,NO_SSLv3 \
tls-dh=prime256v1:/etc/squid/certs/dhparam.pem
acl intermediate_fetching transaction_initiator certificate-fetching
acl SSLBumpSites ssl::server_name www.example.com<http://www.example.com>
acl server src 192.168.1.1
acl path urlpath_regex ^/valid_path/$
...
http_access allow src path
...
ssl_bump peek all
ssl_bump bump SSLBumpSites
ssl_bump slice all
http_access deny all
cache deny all
Works with http (curl http://www.example.com/valid_path/):
- TCP_MISS/200 467686 GET http://www.example.com/valid_path/ - HIER_DIRECT/151.101.122.132
Does not work with HTTPS (curl https://www.example.com/valid_path/):
- TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
- NONE_NONE/403 3894 GET https://www.example.com/valid_path/ - HIER_NONE/- text/html -
Other https requests work fine:
- TCP_TUNNEL/200 - splice
What is wrong in my configuration ?
Thank you for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250224/aefd930a/attachment.htm>
More information about the squid-users
mailing list