-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Never - I repeat, never! - Do not copy other people's pieces config, if you do not understand what they mean. It is not necessary to engage in copy-paste. In the case of configurations need to thoroughly understand what you are doing. net_bump is from _my_ config, this is acl contains SRC networks from LAN. 22.10.15 20:01, luizcasey@xxxxxxxxx пишет: > Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on. > > https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key > http_port 3401 intercept > > logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt > access_log /var/log/squid/access.log squid > > cache deny all < — No caching. > > acl step1 at_step SslBump1 <— What is this doing ?? > acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for SSL > > ssl_bump peek step1 <— Try to find server_name ? > ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let it through > ssl_bump bump net_bump <— ??? This I don’t get since there is no net_bump acl ? Should this just be all ? > ssl_bump splice all <— Splice everything else that couldn’t be bumped ?? > > acl http proto http <— Allow http photo > acl whitelist dstdomain "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for http > > acl https proto https <— Allow https > acl port_80 port 80 <— Allow port 80. Is this redundant ?? > acl port_443 port 443 < — Allow port 443. Is this redundant ?? > > http_access allow http port_80 whitelist <— Allow whitelisted domains on port 80 > http_access allow https port_443 whitelist_ssl <— Allow whitelisted domains on 443 > > http_access deny al <— Deny all > > > #######LOGS > > 2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log squid > 2015/10/22 09:41:10| Processing: cache deny all > 2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1 > 2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains" > 2015/10/22 09:41:10| Processing: ssl_bump peek step1 > 2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl > 2015/10/22 09:41:10| Processing: ssl_bump bump net_bump <——— I assume again this is because no all for net_bump. > 2015/10/22 09:41:10| ACL not found: net_bump > FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump > Squid Cache (Version 3.5.10): Terminated abnormally. > CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys > Maximum Resident Size: 26208 KB > Page faults with physical i/o: 0 > > > If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts up but it still fails to allow any https through even those on the whitelist_ssl file but allows http to those domains. Not sure what I am doing wrong here. > > >> On Oct 21, 2015, at 8:16 PM, luizcasey@xxxxxxxxx wrote: >> >> Alex, >> So what do you recommend to do here ? I just need a simple whitelist file for both http/https. I have a config that works on 3.4 but would like to upgrade to 3.5 and the current config we have won't cut it. Just need a simple if you are in this list allow if not deny. No need for any ssl validation or anything. >> >>> On Oct 21, 2015, at 6:49 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>> >>>> On 10/21/2015 02:49 PM, Yuri Voinov wrote: >>>> >>>> Working config snippet for 3.5.x looks like this: >>>> >>>> ssl_bump peek get_sni_at_step1 >>>> ssl_bump splice spliced_hosts >>>> ssl_bump bump net_bump >>> >>> >>> The above config leaves the following question unanswered: >>> >>> Q: What happens if neither spliced_hosts nor net_bump match at bumping >>> step #2? >>> >>> >>> Leaving questions unanswered is a bad idea for ssl_bump rules because >>> defaults are complex (and used to be broken). To answer that question >>> (instead of forcing Squid to guess the answer), add a forth catch-all >>> rule. For example, this is how the latest Squids would guess: >>> >>> ssl_bump peek step1 >>> ssl_bump splice spliced_hosts >>> ssl_bump bump net_bump >>> ssl_bump splice all >>> >>> >>> If spliced_hosts ACL negation works reliably, then the above is >>> equivalent to: >>> >>> ssl_bump peek step1 >>> ssl_bump bump !spliced_hosts net_bump >>> ssl_bump splice all >>> >>> but I recommend avoiding ACL negation in the actual rules. >>> >>> >>> Finally, please make sure your http_access rules correctly handle >>> CONNECT requests (real for forwarded connections and fake ones for >>> intercepted connections). This may be difficult to do right now due to >>> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340 >>> >>> >>> HTH, >>> >>> Alex. >>> P.S. I renamed get_sni_at_step1 to step1 in the above examples because >>> that ACL itself does not know anything about SNI and does not force >>> Squid to get SNI. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWKO08AAoJENNXIZxhPexGCjsH/3uivwA/CxDXlucn109VAETi pyZt8EbAI+0a6q8dETuEGnQO6O80TZCoN5oGGdfUJT/8n4zels5JnLk92VA1v3PJ A29aoj7VCSuD7xUMZfdku0Aq9f7imLm6nCiLGD1W7WS54MtofCtyfQFsoIpp9Edi XtE9Cbe8E+NWddneXOZlR/pDNOkYPf9vXqkqqM2oYpD22pHdkAFD8vNWCgZwa7p1 oUDenZACXbOZIuWG7c8NflPuPT4TqQShAC/YwB7MGm78OrNAg9K2ZH8yQ3xN/ftY y68x+77XY0L7fyZxqeD6gXoELOtoqfpoKR097nmj80dVlqAX6xZkB8PRjVOK+2o= =q9Gf -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
