Re: HTTPS sites specifics URL

["Dante F. B. Colò" <dante01010@xxxxxxxxx>]

Hi Amos,

What i'm trying to do is allow the url "www.sans.org/programs" as an 
example, the acl  file "restrito" contain this URL but it's not working, 
https urls are working only with the domain part which in this case i 
have to remove "/programs"



On 2/8/17 1:40 AM, Amos Jeffries wrote:
> On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:
> > Hi Leonardo,
> >
> > Thanks for your reply,I tried SSL Bump under client-first and
> > server-first modes both didn't work, Squid version is 3.4.14 running
> > under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
> > 9 of the URL Parsing debug section to see if shows something useful , i
> > 'll post here my squid.conf and debug output from cache.log, if you
> > have some suggestion tell me please.
> >
> > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> > skipped duplicate profile: asndb
> > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> > skipped duplicate profile: carp
> > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> > skipped duplicate profile: userhash
> > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> > skipped duplicate profile: sourcehash
> > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> > skipped duplicate profile: server_list
> > 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
> > 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
> > entering clientListenerConnectionOpened(local=172.17.198.19:3128
> > remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> > 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
> > clientListenerConnectionOpened [call27542]
> > 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
> > connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> > 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
> > leaving clientListenerConnectionOpened(local=172.17.198.19:3128
> > remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> > 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
> > connection on FD 18
> > 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
> > connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> > 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
> > HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
> > flags=1
> > 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
> > HTTP Client REQUEST:
> > ---------
> > CONNECT www.sans.org:443 HTTP/1.1
> > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
> > Gecko/20100101 Firefox/45.0
> > Proxy-Connection: keep-alive
> > Connection: keep-alive
> > Host: www.sans.org:443
> > Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=
> >
> >
> > ----------
> ...
> > 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
> > 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
> ... the "password" ACL works.
>
> ... the "jeca.tatu" ACL is redundant.
>
> > 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
> > clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
> > last ACL checked: all
> ... the "restrito" ACL does not match "www.sans.org:443".
>
> ... the "deny all" blocks this CONNECT request.
>
>
> > 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
> > connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
> > FD 9 flags=1 from SSL-bumped CONNECT
> ... Squid then goes on a bumps the request. But only so that it can
> deliver the error message in a way which browsers will display.
>
> > 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
> > clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
> > FD 9 (172.17.200.11:50974)
> ...
> > 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
> > sendStartOfMessage: HTTP Client REPLY:
> > ---------
> > HTTP/1.1 403 Forbidden
> > Server: squid/3.4.12
> > Mime-Version: 1.0
> > Date: Tue, 06 Dec 2016 21:33:05 GMT
> > Content-Type: text/html
> > Content-Length: 3342
> > X-Squid-Error: ERR_ACCESS_DENIED 0
> > Vary: Accept-Language
> > Content-Language: en
> > X-Cache: MISS from openbsd57vm01
> > Via: 1.1 openbsd57vm01 (squid/3.4.12)
> > Connection: close
> >
> > #################################################################
> >
> > my squid.conf
> ...
> > acl password proxy_auth REQUIRED
> > acl jeca.tatu proxy_auth jeca.tatu
> > acl restrito url_regex -i  "/etc/squid/acl/restrito"
> > http_access allow password jeca.tatu restrito
> > http_access deny all
> >
> > http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
> > cert=/etc/squid/pki/test.cert
> > acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> > always_direct allow all
> You dont need that "always_direct allow all". It was a workaround for a
> 3.1 bug which is long since fixed.
>
> > ssl_bump client-first all
> > sslproxy_cert_error allow all
> > sslproxy_cert_error allow BadSite
> > sslproxy_flags DONT_VERIFY_PEER
> Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
> partiularly for testing. You *want* to see what problems are when debugging.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users