Search squid archive

Re: squid-users Digest, Vol 52, Issue 13

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/18/18 8:40 AM, Mike Quentel wrote:

> ssl_bump peek step1 all
> ssl_bump peek step2 tls_servers
> ssl_bump splice step3 tls_servers
> ssl_bump stare step2
> ssl_bump bump step3
> ssl_bump terminate step2 all

Just FYI: The above should be equivalent to the following simpler, less
misleading, and a bit faster configuration:

  ssl_bump peek step1

  ssl_bump peek tls_servers
  ssl_bump stare all

  ssl_bump splice all
  ssl_bump bump all


> attempting to access https://www.google.com will still download
> the page (200).


You have told Squid to allow that (and nearly every other) access:

> http_access allow SSL_ports


What you probably want is something like this:

  http_access deny CONNECT !SSL_ports
  http_access allow url_domains
  http_access allow tls_servers
  http_access deny all

but if you add http_port (or do not want to trust Squid with enforcing
connection pinning), then you will be better off with the default rules
that also prohibit access to !Safe_ports.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux