On 25/01/19 9:15 pm, Александр Александрович Березин wrote: > Please HELP! > > Hello dear members of the community > excuse me for disturbing me, but I could not find an answer to the > question, so I speak to you, sorry again > > i have > ... > > in /etc/squid.conf > > ....... > > acl test dstdomain partner.steam-api.com > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > ssl_bump peek step1 all NP: That 'all' has no purpose here. > ssl_bump splice test The ssl_bump rules when checked for intercepted traffic are run *before* anything gets decrypted. Thus there is no HTTP(S) request to get a URL from, so no URL domain (dstdomain). Use ssl::server_name ACL type instead. It can match TLS SNI domain (if any) retrieved by the step1 peek action. > ssl_bump bump > > > http_port 192.168.50.1:3128 intercept > https_port 192.168.50.1:3129 intercept ssl-bump > options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off > cert=/etc/squid/ssl_cert/squidCA.pem > > > > when I am trying to access the site from a browser from a local network > partner.steam-api.com > > access.log > > [Fri Jan 25 06:50:10 2019].514 0 192.168.50.10 TCP_DENIED/200 0 > CONNECT 208.64.202.87:443 - HIER_NONE/- - Traffic arriving is immediately being denied access into the proxy. The other log entries and errors are resulting from that fact. > > but the address at the end partner.steam-api.com can be dynamic and > constantly changing, so I need a connection by name > tell me what is my mistake? Two mistakes. First is the dstdomain vs ssl::server_name ACL types mentioned above. Second mistake is http_access rules deny'ing CONNECT messages generated by Squid to represent the TCP SYN packet for SSL-Bump step1. At that point all Squid has access to is the raw-IP:port details. SNI where the server name is received requires the initial CONNECT to be allowed into the proxy before the TLS inspection can begin. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
