Search squid archive

ssl/acl problem with cache_peers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all, I'm posting for an ssl/acl problem.

In my configuration I have 2 proxies, 1 Internal proxy (used by internal users) that serves internal websites and that escalate (cache_peer) to another proxy (external) when needs to go outside.

My problem is that an internal server now needs to reach an external website (via SSL/HTTPS) but I need to filter the access on just some paths (the internal server will contact the internal squid that should user the cache_peer to reach the "external" site).

>From what I've learnt about squid the way to filter paths with HTTPS protocol is to use ssl_bump directive. Actually I've already configured the internal squid with ssl_bump (I've just upgraded to 3.3.7):

    http_port   host11.domain.com:9999 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/path..../squid-CA.pem

    .
    .
    .
    # SSL Bump Start
    ###################
    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER
    sslcrtd_program =/path..../ssl_crtd -s =/path..../ssl_db -M 8MB
    sslcrtd_children 5

    acl src_test        src           222.222.222.222
    acl to_test_domain  dstdomain     server1.test.com
    acl to_test_regex   url_regex     ^https://server1.test.com/path1/
    http_access allow to_test_domain  CONNECT
    http_access allow src_test        to_test_regex
    # Routing with Bump
    cache_peer_access host21.domain.com allow to_test_domain
    cache_peer_access host22.domain.com allow to_test_domain
    ssl_bump        server-first  to_test_bump

    # SSL Bump Finish
    ###################
    ssl_bump    none  all
    .
    .
    .

After some tests I realized that ssl_bump works only when squid does direct connect to websites but doesn't work when used with cache_peers, is it right ?

What would be to best way to achieve my scope ? Should I configure ssl_bump on the external squid (I would prefer do it on the internal one to keep the outside squid config the simplier possible) ? Actually to use the "url_regex" acl to filter the path of an HTTPS site I have opened to also the CONNECT method to the whole site ... Is this the right method to filter paths on an https website? 

Kind regards,
Daniel Hubeli
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux