19.05.2016 18:03, Amos Jeffries пишет:
On 19/05/2016 11:08 p.m., Sagar Malve wrote:
Hi Team,
I have done some modification as per thread and temporary removed Refresh
pattern and have kept the Default refresh pattern ...
This is how my Configuration looks like .....
# SSL bump acl
acl net_bump src "/etc/squid/net.bump"
# TLD acl
acl block_tld url_regex "/etc/squid/dstdom.tld"
You called the file "dstdom", but it is not a dstdomain ACL type.
To match when the domain is listed in the path or query string sections
of URL this is right as-is. Though it would be worth making a note of
that in the config so it doesn't get undone.
To match only the URL domain section with regex use dstdom_regex as the
ACL type. Or, since the unknown part of the listed domains is all the
sub-domain section. Use dstdomain which is faster.
NB: Original ACL was:
# TLD acl
acl block_tld dstdomain "/usr/local/squid/etc/dstdom.tld"
NB2: This is brainless copy-n-paste from my config I've accidentally
shared here in the past.
NB3: facebook.com (and etc.) is NOT TLD (Top Level Domain). This is
SECOND level domain. Originally this part of my config uses for block
REAL TLD, like .tv, .xxx.
# Block top level domains
http_access deny block_tld
deny_info TCP_RESET block_tld
# Rule allowing access from local networks
http_access allow localnet
http_access allow localhost
Notice how localnet and localhost are allowed through the proxy above
without any further ACL conditions.
That means the below "Windows Update rules" have nothing to do and never
match any request which reaches them. You can remove.
# Windows updates rules
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
DiscoverSNIHost is never being used. You can remove it.
# ICQ/MRA must splice first
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
ssl_bump splice NoSSLIntercept
ssl_bump bump net_bump
acl tls_s1_connect at_step SslBump1
acl tls_s3_server_hello at_step SslBump3
tls_s3_server_hello is never being used. You can remove it.
# TLS/SSL bumping steps
ssl_bump peek tls_s1_connect # peek at the incoming TLS/SSL
connect data
ssl_bump splice all # splice the stream:
pass-through mode
# And finally deny all other access to this proxy
http_access deny all
<snip>
-------------Config End ---------------
------------net.bump File -------------------
google.com
youtube.com
reddit.com
This file is being loaded into a 'src' ACL.
Firstly, why are the Google, YouTube, and Reddit servers making requests
through your proxy? they are your customers?
I think you meant 'dst' ACL for this. Your cutomers going *to* Google,
YouTube, or Reddit.
Secondly, the IP addresses of the listed hosts will be resolved on Squid
startup *only* (applies to both src and dst ACL types).
Any other IPs which the site rotates into its DNS RR set after the
single resolve that Squid does for config loading will not match.
-------------------------------
------------dstdom.tld file --------------
yahoo.com
facebook.com
---------------------------------------
--------------- Url.nobump--------
axisbank.com
hdfcbank.com
This file is being used by an ACL which has nothing to do with URLs.
That name is really confusing.
------------------------------------------
Now issue is that I need to block yahoo and facebook but I am able to
access the facebook website and yahoo is getting blocked ....
Hint: The facebook website does not always use the domain "facebook.com"
except in the URL part visible to people. Most people dont type URLs in
to their address bar anyway, so most access to FB will be through Google
etc. straight to the other domain name used for content display.
And also all Google website like google, gmail, youtube are working very
slow it takes lots of time to load this websites but other Https websites
like axisbank / hdfc etc are working properly ....
Think about that. The domains that your net_bump ACL has told Squid to
bump (decrypt) are going slow, the ones you have told it to splice
(bypass decryption) are going "properly" (whatever that means).
Also somtime website does not work with Chrome browser like Gmail but same
is working in Mozilla Firefox but take time to load ......
1) Same as above.
2) Chrome is a Google app. It has the TLS certs for Gmail and other
Google services pinned (hard-coded) into it. If your Squid happens to
try decrypting its traffic without having the Squid CA custom installed
in a way that overrides that pinning, it refuses to work.
3) Sometimes (usually?) Chrome does not use HTTP or HTTPS to contact
Gmail and other Google properties. Even if the URL in the address bar
makes you think thats what its doing. There are 5 different protocols
that can be used to contact servers and fetch https:// URLs.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
I cursed everything that once posted my config. They mindlessly copy,
mangling the parameters and hoping that it will work. I am a thousand
times told those fanboys of Linux that can not do this.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
