So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a: 2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443 2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP) The config file as before: <SNIP> max_filedesc 4096 acl step1 at_step SslBump1 acl localnet src 192.168.1.0/24 # These boxes may ONLY access the whitelist. acl windows_boxes src 192.168.1.201 192.168.1.202 acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .streamlabs.com .ubuntu.com # We don't want these to be cached. store_miss deny whitelist # Don't let SquidGuard do anything with the whitelisted domains. url_rewrite_access deny whitelist # We only redirect HTTP and HTTPS. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # We need this for the whitelist for the windows boxes because # requests are blocked during SslBump step1 because there is not # enough information in the fake CONNECT request for ssl::server_name # to match domains in the whitelist. http_access allow CONNECT step1 # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Windows boxes are only allowed access to the whitelist. http_access allow windows_boxes whitelist http_access deny windows_boxes http_access allow localhost http_access allow localnet http_access deny all # We'll intercept trafic using PF from clan. http_port 127.0.0.1:3129 intercept https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_cafile /usr/local/openssl/cabundle.file # Become a TCP tunnel without decrypting proxied traffic for the whitelist. ssl_bump splice whitelist ssl_bump peek step1 all ssl_bump bump all # We want the query strings as well. strip_query_terms off # Leave coredumps in the first cache dir coredump_dir /var/squid/cache redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf </SNIP> What am I missing now? Kind regards. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
