>> It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working. > > Yes, that is exactly what is happening. > > * When intercepting HTTP (port 80) traffic the protocol is HTTP. Squid > is receiving messages generated by the client *naming* the server it > wants to connect with, OR with just a raw-IP if client wants to do it > that way. > > * When handling explicit proxy (port 3128) traffic the protocol is HTTP. > Squid is receiving CONNECT messages generated by the client again > *naming* the server it wants to connect with, OR with just a raw-IP if > client wants to do it that way. > > * When intercepting HTTPS (port 443) traffic the protocol is initially > just TCP. Squid is receiving TCP SYN packet and fakes/generates a > CONNECT message to represent this opaque connection (ie. CONNECT to a > raw-IP). > > If (and only if) a CONNECT is itself allowed into the proxy does > SSL-Bump begin for the TLS wrapped inside that message. That goes for > both types of CONNECT message - Squid or client generated. > > It should be obvious from the above why you see different behaviour for > the two methods of using the proxy. > >> But this is ONLY for the "windows_boxes", for everything else it's working as it should. >> >> I don't understand what's going on here. > > If the fake CONNECT with raw-IP at SSL-Bump step1 is not allowed to go > through the proxy then the TLS handshake cannot even start to happen. So > there will never be a ssl::server_name for the whitelist ACL to match. > > Now that you have altered localnet to exclude the *.201 and *.202 IPs > the "allow localnet" is no longer permitting them to use the proxy. > AND the whitelist ACL is still not matching the raw-IPs which occur in > CONNECT messages. Which leaves Squid with "deny all". > > Amos Thank you very very much Alex and Amos for all the help! For future references, if anyone needs this, this is the working config: <SNIP> acl step1 at_step SslBump1 acl localnet src 192.168.1.0/24 # These boxes may ONLY access the whitelist. acl windows_boxes src 192.168.1.201 192.168.1.202 acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .ubuntu.com # We don't want these to be cached. store_miss deny whitelist # Don't let SquidGuard do anything with the whitelisted domains. url_rewrite_access deny whitelist # We only redirect HTTP and HTTPS. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # We need this for the whitelist for the windows boxes because # requests are blocked during SslBump step1 because there is not # enough information in the fake CONNECT request for ssl::server_name # to match domains in the whitelist. http_access allow CONNECT step1 # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Windows boxes are only allowed access to the whitelist. http_access allow windows_boxes whitelist http_access deny windows_boxes http_access allow localhost http_access allow localnet http_access deny all http_port 127.0.0.1:3129 intercept https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_cafile /usr/local/openssl/cabundle.file # Become a TCP tunnel without decrypting proxied traffic for the whitelist. ssl_bump splice whitelist ssl_bump peek step1 all ssl_bump bump all # We want the query strings as well. strip_query_terms off # Leave coredumps in the first cache dir coredump_dir /var/squid/cache redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf </SNIP> Kind regards _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
