Hi, I have been unsuccessfully trying to get Squid-4.1-5 in AWS (Amazon 1 Linux) to allow transparent proxy of certain domains, as well as IPs associated with those domains, whilst rejecting everything else. I have been referencing documentation at https://wiki.squid-cache.org/Features/SslPeekAndSplice Version of Squid: 4.1-5 for Amazon 1 Linux available at http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/ (many thanks to @elico for these packages) specifically, the following: 1) http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-4.1-5.amzn1.x86_64.rpm 2) http://faster.ngtech.co.il/repo/amzn/1/beta/x86_64/squid-helpers-4.1-5.amzn1.x86_64.rpm Example of tests that I am running: 1) curl -kv https://service.us2.sumologic.com (EXPECTED: successfully accessed; OBSERVED: successfully accessed) 2) curl -kv https://54.149.155.70 (EXPECTED: successfully accessed because it resolves to service.us2.sumologic.com; OBSERVED: "Certificate does not match domainname" [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)) 3) curl -kv https://www.google.com (EXPECTED: failed to access; OBSERVED: failed to access) 4) curl -kv https://172.217.13.164 (EXPECTED: failed to access; OBSERVED: "Certificate does not match domainname" [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)) Below is the latest version of the squid.conf being used. Apologies for any obvious errors--new to Squid here. I have been grappling with this for weeks, with many iterations of squid.conf so any advice is greatly appreciated; many thanks in advance. --- visible_hostname squid host_verify_strict off # Handling HTTP requests http_port 3128 http_port 3129 intercept sslcrtd_children 10 acl CONNECT method CONNECT # AWS services domain acl allowed_http_sites dstdomain .amazonaws.com # docker hub registry acl allowed_http_sites dstdomain .docker.io acl allowed_http_sites dstdomain .docker.com acl allowed_http_sites dstdomain www.congiu.net # Handling HTTPS requests # https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem https_port 3130 intercept ssl-bump dynamic_cert_mem_cache_size=100MB cert=/etc/squid/squid.pem acl SSL_port port 443 # AWS services domain acl allowed_https_sites ssl::server_name .amazonaws.com # docker hub registry acl allowed_https_sites ssl::server_name .docker.io acl allowed_https_sites ssl::server_name .docker.com # project specific acl allowed_https_sites ssl::server_name www.congiu.net acl allowed_https_sites ssl::server_name mirrors.fedoraproject.org acl allowed_https_sites ssl::server_name mirror.csclub.uwaterloo.ca # nslookup resolved IPs for collectors.sumologic.com # workaround solution to support sumologic collector acl allowed_https_sites ssl::server_name .sumologic.com # THE FOLLOWING TWO LINES DO NOT SEEM TO WORK AS EXPECTED # acl allowed_https_sites ssl::server_name --server-provided service.sumologic.com sslflags=DONT_VERIFY_PEER # acl allowed_https_sites ssl::server_name --server-provided service.us2.sumologic.com sslflags=DONT_VERIFY_PEER acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 allowed_https_sites # http://lists.squid-cache.org/pipermail/squid-users/2018-September/019150.html ssl_bump bump ssl_bump splice step3 allowed_https_sites ssl_bump bump ssl_bump terminate step2 all http_access allow CONNECT # http_access allow SSL_port http_access deny CONNECT !allowed_https_sites http_access deny CONNECT !allowed_http_sites http_access allow allowed_https_sites http_access allow allowed_http_sites http_access deny all cache deny all debug_options "ALL,9" _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
