On 11/14/19 12:29 PM, John Lowry wrote: > I have been able to set up Squid as a transparent proxy that splices > HTTPS connections. > now I'm trying to use ACLs to whitelist by hostname. > > acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested FWIW, I do not know whether the above syntax is supported. I recommend starting with a single whitelisted name. For example: acl whitelist ssl::server_name --client-requested example.com and then, if the above works, migrate to importing parameters from a file (but start with one domain name in that file): acl whitelist ssl::server_name --client-requested "/etc/squid/whitelist.txt" > But I can't get it to work.The logs appeared to indicate that URLs in > the whitelist were first denied then bumped: > > 14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT > 104.17.67.73:443 - HIER_NONE/- - www.headroyce.org > 14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET > https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org > > I think that the ACLs are trying to match a spliced connection against > the IP address rather than SNI server name. > > Any idea what I'm doing wrong here? If you only want to act based on SNI, then do not use an http_access rule during step1 when SNI is not yet known. There may be several ways to accomplish that. However, in most cases, you want to act ASAP, regardless of whether the [sufficient] information came from the TCP layer or the TLS layer. If that is your use case, then it is OK to apply the http_access rule during step1 as well (assuming your ACL will simply not match when there is not enough information yet). > http_access allow whitelist Even if the request is for an "unsafe" port? I doubt you want this rule so high. See squid.conf.default for the recommended access controls order. > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > include /etc/squid/conf.d/* > http_access allow localhost > http_access deny all FYI: The last rule will deny access to non-localhost CONNECT requests during step1 if they do not carry enough information to qualify for the whitelist exception. Keep in mind that http_access rules are evaluated several times during a single master transaction. For details, please see https://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
