On 3/20/20 5:48 PM, laviier wrote: > Hi, > > I have a use case that I want to access a certain URL path of a domain but > not other. i.e. I want client to be able to access example.com/abc/login, > but not other paths. > > Hence, I created ACL rule to achieve that, see below: > > ``` > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl" > acl http port 80 > acl https port 443 > acl connect method CONNECT > > http_access allow all to_domain_whitelist > http_access deny all > > http_reply_access allow all > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > ssl_bump peek step3 > ssl_bump bump all > ``` > > However the above code does not work properly, the URL regex matching > happens before Squid performs decryption so that it can only match against > the host name instead of full URL path. I wonder if there's a way to perform > the URL regex only after Squid knows the full url with SslBump? Below is a > briefing of the log. Thank you so much!!!! > ``` > --------- > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > User-Agent: curl/7.54.0 > Proxy-Connection: Keep-Alive > X-Forwarded-For: xx.xxx.xx.xx > ---------- > ... > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked: > to_domain_whitelist = 0 > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745) > clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last > ACL checked: all > ... If you want to make allow/deny decision based on individual request URLs, your http_access rules must allow the CONNECT request. Once Squid establishes (and bumps) the CONNECT tunnel, it will start processing individual requests and apply http_access rules to each of them. To allow a CONNECT request, do not use regular URL syntax because CONNECT requests use a different URI syntax. Sorry, I do not know whether a url_regex ACL can be used for CONNECT URIs, but you can use other ACLs if/as needed, of course. HTH, Alex. > --------- > GET /abc/login HTTP/1.1 > Host: example.com > User-Agent: curl/7.54.0 > Accept: */* > ---------- > .... > ``` > > > > -- > Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
