I answered your questions below. However https traffic is still always being denied even though the site is on the allowed_list via nobumpSites. I want to control http/https traffic using the “allowed_domains” list. This current configuration works for HTTP but not HTTPS traffic. If there is an easier way to do this I am open for suggestion. This configuration minus the peek/splice part works fine in 3.4.2. Not sure what changed in 3.5 that causes this to fail. > Date: Thu, 22 Oct 2015 00:59:36 +0600 > From: Yuri Voinov <yvoinov@xxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Squid 3.5.10 SSL Bump whitelist domains > issue > Message-ID: <5627E098.1000004@xxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > First, you should put in order configurations. > > 22.10.15 0:31, luizcasey@xxxxxxxxx пишет: >> Hello, >> So what I am trying to accomplish here is to basically have a > whitelist of domains that is allowed via http/https. If the UID is > squid,apache, or root then basically you will bypass squid and anything > is allowed. This was working well on 3.4.2 however once I moved to > 3.5.10 it no longer works properly. I also noticed that there are “new” > features peek,slice etc which is probably my issue since I was not using > it. I have tried several combination and have only gotten it to work for > http traffic. All https traffic is currently being blocked by the > configuration. Below are my configurations. I don’t need to "inspect" > any of the traffic just want to have a whitelist of allowed domains if > you are not UID squid,apache, or root via http/https. Any help would be > appreciated !! >> >> >> ##### Squid.conf >> >> sslproxy_cert_error allow all > This setting is DANGER. Don't use it in production. Completely. > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit >> >> sslproxy_flags DONT_VERIFY_PEER >> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB >> sslcrtd_children 50 >> >> https_port 4827 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt > key=/etc/squid/certs/squid.key >> # HTTPS forward port >> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt > key=/etc/squid/certs/squid.key > HTTPS forward port: this is SSL Bumped port, or what? Where, in this > case, ssl-bump directive? On the other hand, you don't need use cert/key > for tunneling connections. This is enabled by default long, long time. >> >> >> http_port 3401 transparent > Here must be "intercept" against transparent. >> >> >> always_direct allow all > ^^^^^^^^^^^^^^It's too much. >> >> cache deny all > You really sure you want completely disable all caching? >> >> cache_dir ufs /home/squid/cache 100 16 256 > Why, in this case, you define on-disk cache? Removed >> >> >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 > This is completely unnecessary. You don't use it below. Removed >> >> >> acl http proto http >> acl https proto https > Why is it here? To only allow http and https proto >> >> >> acl port_80 port 80 >> acl port_443 port 443 > Why is it here? To only allow port 80 and 443 >> >> >> http_access allow http port_80 nobumpSites >> http_access allow https port_443 nobumpSites > Why is it here? To only allow access to nobumpSites on port 80 and 443 >> >> >> http_access deny all >> >> ##### allowed_domains >> .cnn.com <http://cnn.com/> >> .google.com <http://google.com/> >> .facebook.com <http://facebook.com/> >> ….etc > ACL and, more, access rules order is important. As by as in firewalls. > What do you mean with "allowed_domains" and why it here? >> >> >> #### squid log >> TAG_NONE/403 350 HEAD https://www.facebook.com/ > <https://www.facebook.com/> - HIER_NONE/- text/html >> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85 > qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U > BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg > ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV > MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL > 67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M= > =Q/qX > -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
