On 9/06/2015 6:44 p.m., Klavs Klavsen wrote: > Hi, > > James Lay just replied to me with his current config.. (pretty much like > what he posted), and it seems he does not even try to use http_access > rules to filter on urls from https requests.. > > @Amos: are you certain that there's not an error in how http_access > rules are applied to bumped connections? As far as I know its working as designed. You can enable "debug_options 28,5" to see what access controls are being run. > > What I noted was: > > Instead of having: > http_access allow CONNECT bumpedPorts ... which matches only the pre-bumping CONNECT requests. > > he has: > http_access allow SSL_ports ... which matches anything going to port 443 etc. *bumped or not.* > > which somehow seems to work instead. The "working" config when applied to HTTPS requests is equivalent to: http_access deny CONNECT !SSL_Bump http_access allow all > > He only uses http_access allow rules for http sites.. Yes, read that back to yourself. > he filters https > on domain only - using: > acl allowed_https_sites ssl::server_name_regex > "/opt/etc/squid/http_url.txt" > ssl_bump bump allowed_https_sites > ssl_bump terminate !allowed_https_sites > > in my access log - using james lay's format - squid only logs CONNECT.. > so it seems its not registering the step AFTER CONNECT as something > seperate - which would explain why its not applying http_access > filtering to it ? The HTTP message log (access.log) is only logging the HTTP(S) messages. The non-HTTP protools are not logged. > > 10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT > 64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042 > TCP_TUNNEL:ORIGINAL_DST peek This got peeked then spliced (not decrypted). There is no decrypted message(s) to be logged or even to pass through http_access. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
