Hi all,
## Intro
I read many blogs and emails on this list related to what I'm trying to
do, but most go into bumping or do things that are not as simple as I'm
trying to achieve.
I have an extremely slow line, with very high latency in a remote
location. About 14 people are sharing this line. Nowadays with all the
mobile apps trying to sync and such, the line stalls to unusable all the
time.
I tried doing filters with firewall or dns level, but those are not
effective. In the end I figured squid might be my best option.
## End intro
I have squid 3.5.27 running under LEDE (OpenWrt fork), ie its
cross-compiled for a MIPS based SoC (mediatek mt7621). I mention this
because you will see some options in the config file that won't make
sense otherwise.
It works great, here's what I'm trying to achieve: Allow access only to
a pre-defined list of websites (whitelist). http is straightforward, but
if the connection is https all I need to know is domain, if its allowed,
let it pass, otherwise terminate.
this setup is working as intended with the config attached below,
however the issue I'm facing is that some servers are "loadbalanced",
this would give me the forgery error, eg:
"SECURITY ALERT: Host header forgery detected on...."
Here's a specific example, there's a corporate domain for webmail
access, and some loadbalance config makes use of different IPs, I think
this is what triggers the error. My question is, can I just ignore this
error somehow and allow the connection? From what I gather this
connection is cut by squid before it reaches the client..
Also if there's anything else obviously wrong with my setup please let
me know.
Many thanks.
Here's my config:
### squid.conf begin
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl ssl_ports port 443
acl safe_ports port 80
acl safe_ports port 443
acl connect method connect
acl http_whitelist dstdomain "/etc/squid/whitelist.txt"
acl https_whitelist ssl::server_name "/etc/squid/whitelist.txt"
acl ips_whitelist dst "/etc/squid/ips.txt"
http_port 3128 intercept
http_port 3129
http_access deny !safe_ports
http_access deny connect !ssl_ports
http_access allow ssl_ports
http_access allow http_whitelist
http_access allow ips_whitelist
http_access deny all
https_port 3130 intercept ssl-bump \
cert=/etc/squid/myCA.pem \
generate-host-certificates=off dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump splice https_whitelist
ssl_bump splice ips_whitelist
ssl_bump terminate all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache deny all
access_log none
cache_log /dev/null
cache_store_log stdio:/dev/null
logfile_rotate 0
logfile_daemon /dev/null
coredump_dir /tmp/squid
visible_hostname main_Firewall
pinger_enable off
mime_table /tmp/squid/mime.conf
sslcrtd_program /usr/lib/squid/ssl_crtd -s /tmp/squid/ssldb -M 4MB
## config file end.
## whitelist.txt begin
.nokia.com
## whitelist.txt end.
--
Regards,
A. Benz
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
