On 13/05/18 13:55, Martin Hanson wrote: > > This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong. > The comments on this config tell a story of some misunderstandings ... > <SNIP> > acl step1 at_step SslBump1 > acl localnet src 192.168.1.0/24 > > # These boxes may ONLY access the whitelist. > acl windows_boxes src 192.168.1.201 192.168.1.202 > > acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com > > # We don't want the whitelist to be cached. > cache deny whitelist "store_miss deny whitelist" is the current way to do this. > > # We want direct access on the whitelist. > always_direct allow whitelist "DIRECT" access is always allowed, all this does is prevents cache_peer being used. You have no cache_peer - so the above line is pointless. > > # Don't redirect to SquidGuard. > redirector_access deny whitelist Er. The idea that SquidGuard is redirected *to* is wrong. SG is the agent _doing_ the redirection. What the above does is prevent SG having any part of the whitelist transactions. And redirector_access was deprecated by url_rewrite_access years ago. > > # We only redirect HTTP and HTTPS. > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes. > http_access deny windows_boxes !whitelist > > http_access allow localhost > http_access allow localnet > > http_access deny all > > # We'll intercept trafic using PF. > http_port 127.0.0.1:3129 intercept > https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > sslproxy_cafile /usr/local/openssl/cabundle.file > > # Become a TCP tunnel without decrypting proxied traffic for the whitelist. > ssl_bump splice whitelist > ssl_bump peek step1 > ssl_bump bump all > > # We want the query strings as well. > strip_query_terms off > > # Leave coredumps in the first cache dir > coredump_dir /var/squid/cache > > redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf redirect_program is deprecated by url_rewrite_program. Also, Squidguard is deprecated. Convert basic SG actions into squid.conf actions where possible. And/or, use ufdbguard as a direct drop-in replacement that can handle HTTPS and modern Squid helper protocols. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
