Search squid archive

acl whitelist ssl::server_name not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks to Alex Rousskov's excellent explanation in
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-configure-squid-4-6-to-splice-without-bumping-td4688482.html,
I have been able to set up Squid as a transparent proxy that splices
HTTPS connections.

I want to set up a whitelist. First, I tried to configure SquidGuard
but I couldn't find a way to pass the servername to SquidGuard when
connections were spliced.

So now I'm trying to use ACLs to whitelist by hostname.

acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested

But I can't get it to work.The logs appeared to indicate that URLs in
the whitelist were first denied then bumped:

14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
104.17.67.73:443 - HIER_NONE/- - www.headroyce.org
14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org

I think that the ACLs are trying to match a spliced connection against
the IP address rather than SNI server name.

Any idea what I'm doing wrong here?

I'd also like to present a good error message if the outcome is
denied, and never bump connections.

My config is:

acl CONNECT method CONNECT
acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested
http_access allow whitelist
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access deny all
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump
tls-cert=/etc/squid/ssl_cert/myCA.pem
tls-key=/etc/squid/ssl_cert/myCA.pem
ssl_bump peek all
ssl_bump splice all
logformat sslbump     %tl %>a %Ss/%03<Hs %<st %rm %>ru %[un %Sh/%<a
%mt %ssl::>sni
access_log daemon:/var/log/squid/access.log sslbump
debug_options ALL,3 28,9
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux