Hi,
James Lay just replied to me with his current config.. (pretty much like
what he posted), and it seems he does not even try to use http_access
rules to filter on urls from https requests..
@Amos: are you certain that there's not an error in how http_access
rules are applied to bumped connections?
What I noted was:
Instead of having:
http_access allow CONNECT bumpedPorts
he has:
http_access allow SSL_ports
which somehow seems to work instead.
He only uses http_access allow rules for http sites.. he filters https
on domain only - using:
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump bump allowed_https_sites
ssl_bump terminate !allowed_https_sites
in my access log - using james lay's format - squid only logs CONNECT..
so it seems its not registering the step AFTER CONNECT as something
seperate - which would explain why its not applying http_access
filtering to it ?
10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT
64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042
TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:40:19 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28295 TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:42:30 +0200] "CONNECT 72.51.34.34:443
HTTP/1.1" lwn.net - 200 28258 TCP_TUNNEL:ORIGINAL_DST peek
Amos Jeffries wrote on 06/05/2015 12:18 AM:
On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
I would be perfectly fine with allowing the SSL bumping to finish for
ALL https sites - and then only block when the http request comes..
I'm hoping someone can tell me what I've done wrong in my config.. I'm
obviously not understanding how it works when https is envolved.. it
works as intended with http..
It should be working. I'm a bit confused myself now why that CONNECT
line would be matching the decrypted requests, they definitely should
not be having the CONNECT request method as they are destined to an
origin server.
We've missed something basic, and will probably kick ourselves at how
simple when its reavealed. :-(
All I can think of now is that James log format should be indicating
more clearly whats going on than the default Squid one will.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
