|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 First, you should put in order configurations. 22.10.15 0:31, luizcasey@xxxxxxxxx пишет: > Hello, > So what I am trying to accomplish here is to basically have a whitelist of domains that is allowed via http/https. If the UID is squid,apache, or root then basically you will bypass squid and anything is allowed. This was working well on 3.4.2 however once I moved to 3.5.10 it no longer works properly. I also noticed that there are “new” features peek,slice etc which is probably my issue since I was not using it. I have tried several combination and have only gotten it to work for http traffic. All https traffic is currently being blocked by the configuration. Below are my configurations. I don’t need to "inspect" any of the traffic just want to have a whitelist of allowed domains if you are not UID squid,apache, or root via http/https. Any help would be appreciated !! > > > ##### Squid.conf > > sslproxy_cert_error allow all This setting is DANGER. Don't use it in production. Completely. http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > sslproxy_flags DONT_VERIFY_PEER > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB > sslcrtd_children 50 > > https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt key=/etc/squid/certs/squid.key > # HTTPS forward port > https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key HTTPS forward port: this is SSL Bumped port, or what? Where, in this case, ssl-bump directive? On the other hand, you don't need use cert/key for tunneling connections. This is enabled by default long, long time. > > > http_port 3401 transparent Here must be "intercept" against transparent. > > > always_direct allow all ^^^^^^^^^^^^^^It's too much. > > cache deny all You really sure you want completely disable all caching? > > cache_dir ufs /home/squid/cache 100 16 256 Why, in this case, you define on-disk cache? > > > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 This is completely unnecessary. You don't use it below. > > > acl http proto http > acl https proto https Why is it here? > > > acl port_80 port 80 > acl port_443 port 443 Why is it here? > > > http_access allow http port_80 nobumpSites > http_access allow https port_443 nobumpSites Why is it here? > > > http_access deny all > > ##### allowed_domains > .cnn.com <http://cnn.com/> > .google.com <http://google.com/> > .facebook.com <http://facebook.com/> > ….etc ACL and, more, access rules order is important. As by as in firewalls. What do you mean with "allowed_domains" and why it here? > > > #### squid log > TAG_NONE/403 350 HEAD https://www.facebook.com/ <https://www.facebook.com/> - HIER_NONE/- text/html > TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/> > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85 qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL 67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M= =Q/qX -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
