Hi Amos. Thanks for pointing it out - but this has never been an acl-related issue, more like a https_port / ssl-bump configuration question when the upstream ssl request was not sending a "CONNECT www.example.org:443" but a "GET htttps://www.example.org".
For the sake of testing one can simply get rid of the acls and set "allow all", it wouldn't matter - this line "ssl_bump splice all" is the answer most people were looking for I supposed.
Best regards.
On Sun, Aug 20, 2017 at 10:31 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 20/08/17 14:38, Diogenes S. Jesus wrote:>
* squid.conf:
-----------------------
acl localhost src 127.0.0.0/8 <http://127.0.0.0/8>
acl localnet src 192.168.100.0/24 <http://192.168.100.0/24> 192.168.101.0/24 <http://192.168.101.0/24> 172.16.0.0/12 <http://172.16.0.0/12>
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 443# https
acl CONNECT method CONNECT
http_access allow localhost localnet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
Those http_access rules contain an impossible condition.
The src-IP cannot simultaneously be having a value in the 127/8 network range *and* in one of the RFC1918 ranges. So there is no way anything is ever allowed to use this proxy.
I suspect it was working due to a recently fixed bug where the CONNECT message was not consistently passed through http_access controls sometimes in the first SSL-Bump step. Do not expect that to work much longer.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------
Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
