|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Show as access.log/cache.log for denied HTTPS sites. All others confir quirks will remain onto your responsibility - Amos come and explain when I/you wrong. ;) 22.10.15 1:52, luizcasey@xxxxxxxxx пишет: > I answered your questions below. However https traffic is still always being denied even though the site is on the allowed_list via nobumpSites. > I want to control http/https traffic using the “allowed_domains” list. This current configuration works for HTTP but not HTTPS traffic. > > If there is an easier way to do this I am open for suggestion. This configuration minus the peek/splice part works fine in 3.4.2. Not sure what changed in > 3.5 that causes this to fail. > > >> Date: Thu, 22 Oct 2015 00:59:36 +0600 >> From: Yuri Voinov <yvoinov@xxxxxxxxx> >> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >> Subject: Re: Squid 3.5.10 SSL Bump whitelist domains >> issue >> Message-ID: <5627E098.1000004@xxxxxxxxx> >> Content-Type: text/plain; charset="utf-8" >> >> > First, you should put in order configurations. > > 22.10.15 0:31, luizcasey@xxxxxxxxx пишет: > >>> Hello, > >>> So what I am trying to accomplish here is to basically have a > whitelist of domains that is allowed via http/https. If the UID is > squid,apache, or root then basically you will bypass squid and anything > is allowed. This was working well on 3.4.2 however once I moved to > 3.5.10 it no longer works properly. I also noticed that there are “new” > features peek,slice etc which is probably my issue since I was not using > it. I have tried several combination and have only gotten it to work for > http traffic. All https traffic is currently being blocked by the > configuration. Below are my configurations. I don’t need to "inspect" > any of the traffic just want to have a whitelist of allowed domains if > you are not UID squid,apache, or root via http/https. Any help would be > appreciated !! > >>> > >>> > >>> ##### Squid.conf > >>> > >>> sslproxy_cert_error allow all > This setting is DANGER. Don't use it in production. Completely. > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > >>> > >>> sslproxy_flags DONT_VERIFY_PEER > >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB > >>> sslcrtd_children 50 > >>> > >>> https_port 4827 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt > key=/etc/squid/certs/squid.key > >>> # HTTPS forward port > >>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt > key=/etc/squid/certs/squid.key > HTTPS forward port: this is SSL Bumped port, or what? Where, in this > case, ssl-bump directive? On the other hand, you don't need use cert/key > for tunneling connections. This is enabled by default long, long time. > >>> > >>> > >>> http_port 3401 transparent > Here must be "intercept" against transparent. > >>> > >>> > >>> always_direct allow all > ^^^^^^^^^^^^^^It's too much. > >>> > >>> cache deny all > You really sure you want completely disable all caching? > >>> > >>> cache_dir ufs /home/squid/cache 100 16 256 > Why, in this case, you define on-disk cache? > > Removed > >>> > >>> > >>> acl step2 at_step SslBump2 > >>> acl step3 at_step SslBump3 > This is completely unnecessary. You don't use it below. > > Removed > >>> > >>> > >>> acl http proto http > >>> acl https proto https > Why is it here? > > To only allow http and https proto > >>> > >>> > >>> acl port_80 port 80 > >>> acl port_443 port 443 > Why is it here? > > To only allow port 80 and 443 > >>> > >>> > >>> http_access allow http port_80 nobumpSites > >>> http_access allow https port_443 nobumpSites > Why is it here? > > To only allow access to nobumpSites on port 80 and 443 > >>> > >>> > >>> http_access deny all > >>> > >>> ##### allowed_domains > >>> .cnn.com <http://cnn.com/> > >>> .google.com <http://google.com/> > >>> .facebook.com <http://facebook.com/> > >>> ….etc > ACL and, more, access rules order is important. As by as in firewalls. > What do you mean with "allowed_domains" and why it here? > >>> > >>> > >>> #### squid log > >>> TAG_NONE/403 350 HEAD https://www.facebook.com/ > <https://www.facebook.com/> - HIER_NONE/- text/html > >>> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/> > >>> > >>> > >>> _______________________________________________ > >>> squid-users mailing list > >>> squid-users@xxxxxxxxxxxxxxxxxxxxx > >>> http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWJ+7zAAoJENNXIZxhPexGjrkH/ihm3ZhfpjGXb23Dte0ssSr6 CTJGmZtpT9oX8avFxHJhOPO0R8w+aleMChKIKTDwSTBk1+Mq24J9NC9D+Nut48/p gJqr+uyY5TseVghneDAxWtMsuxXFGeErbDaOwsBsxxyJDDsSJ51QTbDJ2tocHM6I yYdK/vblNuhYzDrmbXvh7fHa0+73LooioE8qdsTVKgXeqqvpzUcRF1Ckpm9RuRZB a3j2PxdEcV7wxwuwcFOJH7jX0cUQiuA3NzVCw573ebyZ9IZ5KJgXku5aco5LNUgx g9zQLlEmNXzkOQbxsz8+ZeHk8z/D08x4Ccu2Kg3mhJ+jyjGGn6Y9D11JKaHrHE4= =Zam6 -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
