Ahh that's it! Thank you for your help! For anyone interested, i'm posting the working config i'm using. Hopefully this helps someone. # # Working on squid version: 3.5.23 # # The general purpose of this configuration is: # - only allow a set of whitelisted domains through the proxy # - option to allow specific browser user agents to bypass the domains whitelist # - option to allow specific hosts to bypass the domains whitelist # - option to allow speicfic host + user agent to bypass the domains whitelist # # Useful in a restricted environment, like a server environment with restricted egress requirements. # # Requirements for this to work properly # # On proxy host: # iptables rules to support redirection to appropriate ports # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 # # Self-signed cert route: # openssl req -newkey rsa:4096 -x509 -keyout /etc/squid/ssl_cert/mySquidCA.pem -out /etc/squid/mySquidCA.pem -days 1825 -nodes # # On clients # For self-signed cert route: # Add public key of mySquidCA cert to appropriate stores # e.g. Ubuntu 16.04, add public key of the .pem file to: /usr/local/share/ca-certificates/mySquidCA.crt and then run sudo update-ca-certs # # If running python, may need to update appropriate package cert stores: # e.g. /usr/local/lib/python2.7/dist-packages/requests/cacert.pem # # Refs # - install 3.5.23: https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html # - example: https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/ # - http://www.squid-cache.org/Doc/ # visible_hostname squid # The default log formats available (which do not need re-defining) are: #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log daemon:/var/log/squid/access.log combined # acls for ports allowed acl safe_ports port 80 # http acl safe_ports port 443 # https # acl for whitelisting domains acl whitelist_domains dstdomain "/etc/squid/whitelist_domains.txt" # acl for browser user agents acl useragent_bypass browser "/etc/squid/useragents_bypass_regex.txt" # acl for hosts acl host_bypass src "/etc/squid/hosts_bypass.txt" # acls for use with host AND user agent combo rule acl host_and_useragent_ualist_bypass browser "/etc/squid/host_AND_useragent_useragentlist_bypass.txt" acl host_and_useragent_hostlist_bypass src "/etc/squid/host_AND_useragent_hostlist_bypass.txt" acl CONNECT method CONNECT #Handling HTTP requests #http_port 3128 # will need this live for squid v4 http_port 3129 intercept #Handling HTTPS requests # transparent proxy option #https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept # full ssl intercept option https_port 3130 ssl-bump intercept cert=/etc/squid/ssl_cert/mySquidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=10MB sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 10MB # for ver 4.x #sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 10MB # bump everything ssl_bump stare all ssl_bump bump all # delay filtering decisions until we get to bumped requests http_access allow CONNECT safe_ports http_access deny CONNECT # filter plain and bumped requests # allow specified hosts to bypass http_access allow host_bypass # allow specified useragents to bypass http_access allow useragent_bypass # allow combo of host + useragent to bypass http_access allow host_and_useragent_ualist_bypass host_and_useragent_hostlist_bypass # allow only whitelisted domains if above rules haven't bypassed it yet http_access allow whitelist_domains # finally, deny all other access to this proxy http_access deny all -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
