Hi Alex,
Thank you. Yes, there are http_access rules
I have included the entire configuration file (Sorry, I'm new to Squid)
The goal is to splice only whitelist (github.com) and terminate all other domains.
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
visible_hostname squid.internal
acl localnet src 172.16.0.0/16
acl http_whitelist dstdomain .github.com
acl whitelist ssl::server_name .github.comacl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow http_whitelist localnet
http_access deny allacl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice whitelist
ssl_bump bump all
via off
forwarded_for offrequest_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
-Shan
On Monday, April 17, 2017 10:10 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:
> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.
> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
>
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
>
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
>
> Please help me fixing the issue.
Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?
What does access.log say?
Alex.
> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.
> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
>
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
>
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
>
> Please help me fixing the issue.
Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?
What does access.log say?
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
