On 14/05/18 12:49, Martin Hanson wrote: > I have enabled debugging and found something quite strange. > > In order to better debug I have limited the whitelist to two domains, one HTTP and one with HTTPS: > > acl whitelist ssl::server_name .ubuntu.com .sundkat.dk > > When I go to http://www.sundkat.dk, which is a HTTP domain, I get the following: > > 2018/05/14 02:42:49.859 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request GET http://www.sundkat.dk/ is ALLOWED; last ACL checked: whitelist > > But when I go to https://www.ubuntu.com, I get the following: > > 2018/05/14 02:43:44.262 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 91.189.89.103:443 is DENIED; last ACL checked: all > > It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working. Yes, that is exactly what is happening. * When intercepting HTTP (port 80) traffic the protocol is HTTP. Squid is receiving messages generated by the client *naming* the server it wants to connect with, OR with just a raw-IP if client wants to do it that way. * When handling explicit proxy (port 3128) traffic the protocol is HTTP. Squid is receiving CONNECT messages generated by the client again *naming* the server it wants to connect with, OR with just a raw-IP if client wants to do it that way. * When intercepting HTTPS (port 443) traffic the protocol is initially just TCP. Squid is receiving TCP SYN packet and fakes/generates a CONNECT message to represent this opaque connection (ie. CONNECT to a raw-IP). If (and only if) a CONNECT is itself allowed into the proxy does SSL-Bump begin for the TLS wrapped inside that message. That goes for both types of CONNECT message - Squid or client generated. It should be obvious from the above why you see different behaviour for the two methods of using the proxy. > But this is ONLY for the "windows_boxes", for everything else it's working as it should. > > I don't understand what's going on here. > If the fake CONNECT with raw-IP at SSL-Bump step1 is not allowed to go through the proxy then the TLS handshake cannot even start to happen. So there will never be a ssl::server_name for the whitelist ACL to match. Now that you have altered localnet to exclude the *.201 and *.202 IPs the "allow localnet" is no longer permitting them to use the proxy. AND the whitelist ACL is still not matching the raw-IPs which occur in CONNECT messages. Which leaves Squid with "deny all". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
