Hi Amos So i have tried the following based on your suggestions, but it is still failing and have errors below: 1. Switched to a wildcard whitelist instead of single domain 2. Updated the logformat to provide more information, see below: 3. Add in `--client-requested`, but this made no difference. 3a. Add to single ACL, acl domainIsWhitelisted ssl::server_name --client-requested cloudtrace.googleapis.com 3b. Commented out single record, switched to wildcard 3c. Add to wildcard Error messages and Logs: Access Log: 26/Jun/2019:23:18:38 96 REDACTED 216.58.200.106 NONE/200 0 CONNECT 216.58.200.106:443 HTTP/1.1 SSL: cloudtrace.googleapis.com peek Client(Subject/Tx/Neg/Sup/Cip): - TLS/1.0 - TLS/1.2 - Server(Subject/Rx/Neg/Sup/Cip): - TLS/1.2 - TLS/1.2 - Cache Log: 2019/06/26 23:18:38 kid1| ERROR: negotiating TLS on FD 11: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned (1/-1/0) Can you please explain what you mean? What should this changed to so that it does work. > Please be aware that in your config the ssl::server_name ACL is *not* matching the SNI in your config. > - Your ssl_bump rules say "peek all" - so peek happens on the two Hello > messages. When the serverHello has been peek'd the real server name is > available from the servers own certificate. Updated Squid.conf. # =========================== # Squid 4.7 Config - Work in Progress # =========================== acl localnet src 10.0.0.0/8 # Kubernetes VPC CIDR range acl SSL_ports port 443 # HTTPS acl Safe_ports port 80 # HTTP acl Safe_ports port 443 # HTTPS acl CONNECT method CONNECT # Traffic restriction acl step1 at_step SslBump1 # Needed by ssl-bump # ------------------------------- # Whitelist the following Domains # ------------------------------- # FQDN - Try to use FQDN acl domainIsWhitelisted ssl::server_name accounts.google.com # ---------------------------------------------- # Wildcard acl domainIsWhitelisted ssl::server_name --client-requested .googleapis.com acl domainIsWhitelisted ssl::server_name --client-requested .googleapis.l.google.com # ------------------------------- # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Passively Intercepted HTTPS Traffic https_port 9091 cert=/etc/squid/example.com.cert key=/etc/squid/example.com.private ssl-bump intercept acl step1 at_step SslBump1 ssl_bump peek all ssl_bump splice domainIsWhitelisted ssl_bump terminate all # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Logging logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru HTTP/%rv SSL: %ssl::>sni %ssl::bump_mode Client(Subject/Tx/Neg/Sup/Cip): %ssl::>cert_subject %ssl::>received_hello_version %ssl::>negotiated_version %ssl::>received_supported_version %ssl::>negotiated_cipher Server(Subject/Rx/Neg/Sup/Cip): %ssl::<cert_subject %ssl::<received_hello_version %ssl::<negotiated_version %ssl::<received_supported_version %ssl::<negotiated_cipher access_log daemon:/var/log/squid/access_custom1.log custom1 # Listen on port 3128 for HTTP Connet method - unused and firewalled off. http_port 3128 # End of File Kind regards Jared _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
