On 5/06/2015 2:50 a.m., Klavs Klavsen wrote: > Amos Jeffries wrote on 06/04/2015 04:19 PM: >> On 5/06/2015 1:45 a.m., Klavs Klavsen wrote: >>> after moving it here: >>> >>> http_access allow okweb-urls testsrv1 >>> http_access allow CONNECT bumpedPorts >>> http_access deny all >>> >>> it still allows everything.. >> >> Sigh. Sorry I must be half aslep right now. >> >> Your rules say: >> >> allow ... >> allow ... >> allow ... >> >> So why would anything be denied? >> > > last line says: deny all > > and it works for http urls.. it denies the websites not listed in > testurls for testsrv1. Okay. Those *are* the decrypted messages. What you just said there tels me that your ACLs are working correctly. Picture me confused. :-O > >> >> Secondly, the log line you pointed out was for peek operation. URL (for >> url_regex ACLs to match) is not known or available until bumping >> (specifically the full "bump" action) has been completed. >> > but the "allow CONNECT" line, seems to make it skip the > http_access deny all > > at the bottom.. (and not parse the allows in between which should be the > ones allowing certain websites on https as well.. > > do I need to change: > ssl_bump bump all > > to list every https site > acl ok-httpsurls url_regex ^https://www.google.dk/$ > ssl_bump bump ok-httpsurls > ssl_bump reject !ok-httpsurls Er, yes. The scheme is assumed to be https:// due to TLS existence, the domain is given in SNI. But the URL path is still private/encrypted. So the URL will never match any pattern with path component, and is unlikely to even attempt matching in current Squid. > > (so I an only use http_access for http intercept and must use ssl_bump > for https urls) ? > https:// URL requests will be passed by http_access like any other traffic, but with the caveat that it happens only after the connection has already been/being decrypted. AKA *after* "ssl_bump bump ..." has been matched. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
