Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on. https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key http_port 3401 intercept logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt access_log /var/log/squid/access.log squid cache deny all < — No caching. acl step1 at_step SslBump1 <— What is this doing ?? acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for SSL ssl_bump peek step1 <— Try to find server_name ? ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let it through ssl_bump bump net_bump <— ??? This I don’t get since there is no net_bump acl ? Should this just be all ? ssl_bump splice all <— Splice everything else that couldn’t be bumped ?? acl http proto http <— Allow http photo acl whitelist dstdomain "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for http acl https proto https <— Allow https acl port_80 port 80 <— Allow port 80. Is this redundant ?? acl port_443 port 443 < — Allow port 443. Is this redundant ?? http_access allow http port_80 whitelist <— Allow whitelisted domains on port 80 http_access allow https port_443 whitelist_ssl <— Allow whitelisted domains on 443 http_access deny al <— Deny all #######LOGS 2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log squid 2015/10/22 09:41:10| Processing: cache deny all 2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1 2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains" 2015/10/22 09:41:10| Processing: ssl_bump peek step1 2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl 2015/10/22 09:41:10| Processing: ssl_bump bump net_bump <——— I assume again this is because no all for net_bump. 2015/10/22 09:41:10| ACL not found: net_bump FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump Squid Cache (Version 3.5.10): Terminated abnormally. CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys Maximum Resident Size: 26208 KB Page faults with physical i/o: 0 If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts up but it still fails to allow any https through even those on the whitelist_ssl file but allows http to those domains. Not sure what I am doing wrong here. > On Oct 21, 2015, at 8:16 PM, luizcasey@xxxxxxxxx wrote: > > Alex, > So what do you recommend to do here ? I just need a simple whitelist file for both http/https. I have a config that works on 3.4 but would like to upgrade to 3.5 and the current config we have won't cut it. Just need a simple if you are in this list allow if not deny. No need for any ssl validation or anything. > >> On Oct 21, 2015, at 6:49 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> >>> On 10/21/2015 02:49 PM, Yuri Voinov wrote: >>> >>> Working config snippet for 3.5.x looks like this: >>> >>> ssl_bump peek get_sni_at_step1 >>> ssl_bump splice spliced_hosts >>> ssl_bump bump net_bump >> >> >> The above config leaves the following question unanswered: >> >> Q: What happens if neither spliced_hosts nor net_bump match at bumping >> step #2? >> >> >> Leaving questions unanswered is a bad idea for ssl_bump rules because >> defaults are complex (and used to be broken). To answer that question >> (instead of forcing Squid to guess the answer), add a forth catch-all >> rule. For example, this is how the latest Squids would guess: >> >> ssl_bump peek step1 >> ssl_bump splice spliced_hosts >> ssl_bump bump net_bump >> ssl_bump splice all >> >> >> If spliced_hosts ACL negation works reliably, then the above is >> equivalent to: >> >> ssl_bump peek step1 >> ssl_bump bump !spliced_hosts net_bump >> ssl_bump splice all >> >> but I recommend avoiding ACL negation in the actual rules. >> >> >> Finally, please make sure your http_access rules correctly handle >> CONNECT requests (real for forwarded connections and fake ones for >> intercepted connections). This may be difficult to do right now due to >> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340 >> >> >> HTH, >> >> Alex. >> P.S. I renamed get_sni_at_step1 to step1 in the above examples because >> that ACL itself does not know anything about SNI and does not force >> Squid to get SNI. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
