On 15/10/2015 7:25 p.m., Бараблин Дмитрий wrote: > Hello all! > > im trying to configure squid 3.5.8 as intercept with Whitelist ACLs on > HTTP and HTTPS. > > what my config: > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl whitelist dstdom_regex -i "/etc/squid/whitelist" <snip> > acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl" > http_port 10.0.0.185:3128 intercept > http_port 10.0.0.185:3130 > https_port 10.0.0.185:3129 intercept ssl-bump > options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off > cert=/etc/squid/squidCA.pem > always_direct allow all You can remove the always_direct line. It was a temporary hack for bugs in squid-3.1. It does nothing useful in your config. > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > cl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice whitelist_ssl > ssl_bump peek whitelist_ssl > ssl_bump terminate all > Configuring peeking to happen *after* splicing does not make any sense. The "peek whitelist_ssl" will never happen. > > this config nice work with HTTPS sites, but not filtered http. "fitered http"? you don't have anything configured that could even remotely be called that. > When im > added "http_access allow localnet whitelist", which stop at all sites. > > whitelist&whitelist_ssl - both file have some contents aka > > \.google-analytics\.com > \.googleapis\.com > \.google\.com > \.googleusercontent\.com > \.gstatic\.com > > please tell me what I'm doing wrong! > At a guess I believe you are expecting ssl-bump operations to happen on the port 3128 or 3130 traffics CONNECT requests. But you have not configured it to be done on those ports. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
