[squid-users] ssl-bump with url_regex [SOLVED]
BOISIAUD Jean-Yves
jyboisiaud-ext at ecritel.net
Mon Feb 24 17:22:36 UTC 2025
Solution:
It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way.
Directive is too restrictive:
http_access deny CONNECT !SSL_ports
It works now with:
http_access allow CONNECT safe_ports
where safe ports are:
80, 443, 1025-65535 (maybe too large)
________________________________
De : squid-users <squid-users-bounces at lists.squid-cache.org> de la part de BOISIAUD Jean-Yves <jyboisiaud-ext at ecritel.net>
Envoyé : lundi 24 février 2025 16:38
À : squid-users at lists.squid-cache.org
Objet : [squid-users] ssl-bump with url_regex
Hello,
I am using Squid 5.7 on a Debian 12 system.
I would like to grant only some given URL path for a site using HTTPS.
For example, in the following configuration:
...
http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
cert=/etc/squid/certs/signingCA.crt \
key=/etc/squid/certs/signingCA.key \
tls-cafile=/etc/squid/certs/chain.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=20MB \
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
options=NO_TLSv1,NO_SSLv3 \
tls-dh=prime256v1:/etc/squid/certs/dhparam.pem
acl intermediate_fetching transaction_initiator certificate-fetching
acl SSLBumpSites ssl::server_name www.example.com<http://www.example.com>
acl server src 192.168.1.1
acl path urlpath_regex ^/valid_path/$
...
http_access allow src path
...
ssl_bump peek all
ssl_bump bump SSLBumpSites
ssl_bump slice all
http_access deny all
cache deny all
Works with http (curl http://www.example.com/valid_path/):
- TCP_MISS/200 467686 GET http://www.example.com/valid_path/ - HIER_DIRECT/151.101.122.132
Does not work with HTTPS (curl https://www.example.com/valid_path/):
- TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
- NONE_NONE/403 3894 GET https://www.example.com/valid_path/ - HIER_NONE/- text/html -
Other https requests work fine:
- TCP_TUNNEL/200 - splice
What is wrong in my configuration ?
Thank you for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250224/8c1e0b97/attachment.htm>
More information about the squid-users
mailing list