| Hello, So what I am trying to accomplish here is to basically have a whitelist of domains that is allowed via http/https. If the UID is squid,apache, or root then basically you will bypass squid and anything is allowed. This was working well on 3.4.2 however once I moved to 3.5.10 it no longer works properly. I also noticed that there are “new” features peek,slice etc which is probably my issue since I was not using it. I have tried several combination and have only gotten it to work for http traffic. All https traffic is currently being blocked by the configuration. Below are my configurations. I don’t need to "inspect" any of the traffic just want to have a whitelist of allowed domains if you are not UID squid,apache, or root via http/https. Any help would be appreciated !! ##### IPTABLES $iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination natoutlogaccept tcp -- anywhere anywhere multiport dports http,https owner UID match squid natoutlogaccept tcp -- anywhere anywhere multiport dports http,https owner UID match apache natoutlogaccept tcp -- anywhere anywhere multiport dports http,https owner UID match root REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3401 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 4827 Chain natoutlogaccept (3 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `nat out iptables accept ' ACCEPT all -- anywhere anywhere ##### Squid.conf sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB sslcrtd_children 50 https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt key=/etc/squid/certs/squid.key # HTTPS forward port https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key http_port 3401 transparent # HTTP forward port http_port 127.0.0.1:6886 logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt access_log /var/log/squid/access.log squid always_direct allow all cache deny all cache_dir ufs /home/squid/cache 100 16 256 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl nobumpSites ssl::server_name "/etc/squid/allowed_domains/allowed_domains" ssl_bump peek step1 all ssl_bump splice nobumpSites ssl_bump bump acl http proto http acl https proto https acl port_80 port 80 acl port_443 port 443 http_access allow http port_80 nobumpSites http_access allow https port_443 nobumpSites http_access deny all ##### allowed_domains .cnn.com .google.com .facebook.com ….etc #### squid log TAG_NONE/403 350 HEAD https://www.facebook.com/ - HIER_NONE/- text/html TCP_MISS/200 593 GET http://www.cnn.com/ |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
