[squid-users] SSL_Bump: Unexpected decryption of non-whitelisted domains

[Alex Rousskov]

On 2025-05-27 08:47, 中山稀斗 wrote:
> Dear Squid-Users,
> 
> I’m configuring SSL_Bump to decrypt only a specific list of domains and 
> to splice (pass through encrypted) all others, but I’m seeing 
> non-whitelisted domains still being decrypted.
> 
> ### Observed behavior (access log excerpt):
> 26.56.128.144 - - [27/May/2025:18:35:17 +0900] "CONNECT mariadb.org:443 
> HTTP/1.1" 200 0 TCP_DENIED:HIER_NONE
> 26.56.128.144 - - [27/May/2025:18:35:17 +0900] "GET 
> https://mariadb.org/donate/ <https://mariadb.org/donate/> HTTP/1.1" 403 
> 4076 NONE_NONE:HIER_NONE
> 
> lthough CONNECT is supposed to be denied at step1,

When Squid is configured to deny a CONNECT request at step1, it bumps 
the client-to-Squid connection after receiving such a banned CONNECT 
request, waits for the client GET (or equivalent) request on the bumped 
connection, and then responds with an Access Denied error to the client. 
This behavior was implemented because most browsers refuse to show 
CONNECT errors to users; they only show GET errors.

If you do not like this behavior, you may, for example, configure your 
Squid to allow CONNECTs to servers that should be spliced.


HTH,

Alex.


> Squid first responds 
> with “200 OK” (and presents a self-signed certificate), then the client 
> issues a GET which finally returns 403.
> 
> ### My ssl_bump configuration:
> 
> acl step1 at_step SslBump1
> acl bump_domains ssl::server_name "/home/user001/ssl_bump/ssl_bump_domain"
> 
> ssl_bump peek step1
> ssl_bump splice step2 !bump_domains
> ssl_bump bump step2 bump_domains
> ssl_bump splice step3 all
> 
> Could you please advise why non-whitelisted domains are still being 
> bumped and how to properly prevent this behavior?
> 
> Thank you for your assistance.
> 
> Best regards,
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users