[squid-users] ssl-bump with url_regex [SOLVED]
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 24 20:30:38 UTC 2025
I do not think this solution is correct.
The SSL_Ports ACL should already contain "443". So the traffic was
**not** being blocked by this line:
"deny CONNECT !SSL_Ports"
AFAICS the lack of URL-path details on the CONNECT request was failing
to match the urlpath_regex ACL.
FYI;
While most of the time we think of Squid access controls as boolean
conditions, they actually have a tri-state logic (allow, deny, skip).
One option here instead of requiring that path to exist (allow X), is to
reject invalid paths (deny !X). Like so:
http_access deny src !path
.. in which case the other access controls later will handle the CONNECT
requests.
Another option is to allow all CONNECT attempts from the given client.
Like this:
http_access deny CONNECT !Safe_ports
http_access allow CONNECT src
.. in which case you rely on the ssl_bump rules to correctly handle the
CONNECT, and http_access to correctly handle the decrypted traffic.
Amos
On 25/02/25 06:22, BOISIAUD Jean-Yves wrote:
> Solution:
>
>
> It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way.
>
>
> Directive is too restrictive:
>
> http_access deny CONNECT !SSL_ports
>
>
> It works now with:
> http_access allow CONNECT safe_ports
>
> where safe ports are:
> 80, 443, 1025-65535 (maybe too large)
>
> ------------------------------------------------------------------------
> *De :* squid-users <squid-users-bounces at lists.squid-cache.org> de la
> part de BOISIAUD Jean-Yves <jyboisiaud-ext at ecritel.net>
> *Envoyé :* lundi 24 février 2025 16:38
> *À :* squid-users at lists.squid-cache.org
> *Objet :* [squid-users] ssl-bump with url_regex
>
> Hello,
>
>
> I am using Squid 5.7 on a Debian 12 system.
>
>
> I would like to grant only some given URL path for a site using HTTPS.
>
>
> For example, in the following configuration:
>
> ...
>
> http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
> cert=/etc/squid/certs/signingCA.crt \
> key=/etc/squid/certs/signingCA.key \
> tls-cafile=/etc/squid/certs/chain.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=20MB \
> cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
> options=NO_TLSv1,NO_SSLv3 \
> tls-dh=prime256v1:/etc/squid/certs/dhparam.pem
>
> acl intermediate_fetching transaction_initiator certificate-fetching
>
> acl SSLBumpSites ssl::server_name www.example.com <http://www.example.com>
>
> acl server src 192.168.1.1
>
> acl path urlpath_regex ^/valid_path/$
>
> ...
>
> http_access allow src path
>
> ...
>
> ssl_bump peek all
> ssl_bump bump SSLBumpSites
> ssl_bump slice all
>
> http_access deny all
>
> cache deny all
>
> Works with http (curl http://www.example.com <http://www.example.com>/
> valid_path/):
> - TCP_MISS/200 467686 GET http://www.example.com/valid_path/ -
> HIER_DIRECT/151.101.122.132
>
> Does not work with HTTPS (curl https://www.example.com/valid_path/
> <https://www.example.com/valid_path/>):
> - TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
> - NONE_NONE/403 3894 GET https://www.example.com/valid_path/ -
> HIER_NONE/- text/html -
>
> Other https requests work fine:
>
> - TCP_TUNNEL/200 - splice
>
>
> What is wrong in my configuration ?
>
>
> Thank you for your help.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list