If I understand you correctly, my original squid.conf had an ACL directive corresponding to the functionality in question:
acl CONNECT method CONNECT
Regardless, I added that back to my config and re-tested both with it inline and stand-alone. My results as follows:
http_access allow CONNECT artifactory_repo_filter
This resulted in no traffic being passed, just like without the
CONNECT ACL present. I assume this is what you were telling
me to do because it's what made the most sense based off
of your description of the problem, but it did not have the
desired effect.
http_access allow CONNECT
http_access allow artifactory_repo_filter
This resulted in all SSL traffic being permitted and passed through
the proxy. This makes sense to me because the allow CONNECT
would whitelist all CONNECT traffic, which is what all SSL traffic is
by my understanding. I didn't think this is what you meant, but I
tried it anyway to be sure.
Have I misunderstood you somehow, or is it not behaving as expected?
On 11/1/18, 6:21 PM, "squid-users on behalf of Alex Rousskov" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 11/1/18 2:46 PM, Shane Poage wrote:
> I have my proxy configured to bump all traffic so that the
> urlpath_regex ACL can be applied, but it appears to not have any
> effect post-bump.
Your proxy will deny any first post-bump request and close the tunnel
because you deny all CONNECT requests that initiate tunnels. CONNECT
requests do not have a URL path so they will never match your
"http_access allow" rule.
When a CONNECT request is denied by a bumping Squid, that Squid bumps
the tunnel and then denies the very first bumped request on that tunnel,
whatever that request is. This delayed error return is done to deliver
the "access denied" error page to the client -- browsers ignore CONNECT
error responses.
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl_certs/artifactory_mitm_ca.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB
> ssl_bump bump all
> acl artifactory_repo_filter urlpath_regex ^/artifactory
> http_access allow artifactory_repo_filter
>
> # And finally deny all other access to this proxy
> http_access deny all
Insert an http_access rule to allow all safe CONNECT requests before you
deny everything else. IIRC, squid.conf.default has an example of how to
do that.
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
