Search squid archive

Re: HTTPS sites specifics URL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amos,

What i'm trying to do is allow the url "www.sans.org/programs" as an example, the acl file "restrito" contain this URL but it's not working, https urls are working only with the domain part which in this case i have to remove "/programs"



On 2/8/17 1:40 AM, Amos Jeffries wrote:
On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:
Hi Leonardo,

Thanks for your reply,I tried SSL Bump under client-first and
server-first modes both didn't work, Squid version is 3.4.14 running
under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
9 of the URL Parsing debug section to see if shows something useful , i
'll post here my squid.conf and debug output from cache.log, if you
have some suggestion tell me please.

2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: asndb
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: carp
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: userhash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: sourcehash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: server_list
2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
entering clientListenerConnectionOpened(local=172.17.198.19:3128
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
clientListenerConnectionOpened [call27542]
2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
leaving clientListenerConnectionOpened(local=172.17.198.19:3128
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
connection on FD 18
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
flags=1
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT www.sans.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
Gecko/20100101 Firefox/45.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.sans.org:443
Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=


----------
...
2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
... the "password" ACL works.

... the "jeca.tatu" ACL is redundant.

2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
last ACL checked: all
... the "restrito" ACL does not match "www.sans.org:443".

... the "deny all" blocks this CONNECT request.


2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
FD 9 flags=1 from SSL-bumped CONNECT
... Squid then goes on a bumps the request. But only so that it can
deliver the error message in a way which browsers will display.

2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
FD 9 (172.17.200.11:50974)
...
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.4.12
Mime-Version: 1.0
Date: Tue, 06 Dec 2016 21:33:05 GMT
Content-Type: text/html
Content-Length: 3342
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from openbsd57vm01
Via: 1.1 openbsd57vm01 (squid/3.4.12)
Connection: close

#################################################################

my squid.conf

...
acl password proxy_auth REQUIRED
acl jeca.tatu proxy_auth jeca.tatu
acl restrito url_regex -i  "/etc/squid/acl/restrito"
http_access allow password jeca.tatu restrito
http_access deny all

http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
cert=/etc/squid/pki/test.cert
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
always_direct allow all
You dont need that "always_direct allow all". It was a workaround for a
3.1 bug which is long since fixed.

ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_cert_error allow BadSite
sslproxy_flags DONT_VERIFY_PEER
Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
partiularly for testing. You *want* to see what problems are when debugging.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux