Sorry, I haven't seen the reply as it's been attached as an attachment and posted a similar question about 302, but probably I know the answer already as it's not stateful inspection any redirection to a new domain is a new request that has to go over ACL again. I thought about using http_reply_access but again it's creating a whole new ACL that every reply would have to go over not just that one. Is there a way to use http_access & http_reply_access together, like http_access allow whitelist & http_reply allow whitelist?
Mirek
> There is a built-in ACL called "all" which does what you defined for the regex "blacklist" to do.
> As for sessions. No Squid follows HTTP which is stateless. You can configure it though. setup an ext_session_acl helper for active mode sessions that start when a 302 response comes back. you should have some other ACL to separately whitelist the sites normally blocked, but can open with a session.
> Amos
> As for sessions. No Squid follows HTTP which is stateless. You can configure it though. setup an ext_session_acl helper for active mode sessions that start when a 302 response comes back. you should have some other ACL to separately whitelist the sites normally blocked, but can open with a session.
> Amos
On Thu, Apr 15, 2021 at 9:52 PM Miroslaw Malinowski <mr.miroslaw.malinowski@xxxxxxxxx> wrote:
I've found a resolution using a bit better regex:acl blackList url_regex ^https?:\/\/.*$looking at the debug it doing exactly what I wanted, however, I now have a different issue how to handle a 302 MOVED when the move is to a different domain, e.g. packages.gitlab.com are moved to d20rj4el6vkp4c.cloudfront.net. Is squid stateful in a way that it's able to remember those packets are coming from the same session? What would be the best way to resolve the issue other than just keep adding domain if a thing like this happens.ThanksOn Thu, Apr 15, 2021 at 1:03 PM Miroslaw Malinowski <mr.miroslaw.malinowski@xxxxxxxxx> wrote:Hi,I'm trying to use Opnsense built-in squid config to set up a transparent proxy for server updates and block everything else.In GUI they use url_regex for whitelist and blacklist, when I simple per domain whitelist and blacklist it's working as expected, e.g.# ACL - Whitelist - User defined (whiteList)
acl whiteList url_regex archive\.ubuntu\.com# ACL - Blacklist - User defined (blackList)
acl blackList url_regex packages\.gitlab\.com# ACL list (Allow) whitelist
http_access allow whiteList
# ACL list (Deny) blacklist
http_access deny blackListHowever, when I do wildcard in blacklist I also get all https domain blocked even when I've tried to explicitly allow it with https://archive\.ubuntu\.com , e.g.# ACL - Whitelist - User defined (whiteList)
acl whiteList url_regex archive\.ubuntu\.com# ACL - Blacklist - User defined (blackList)
acl blackList url_regex .*# ACL list (Allow) whitelist
http_access allow whiteList
# ACL list (Deny) blacklist
http_access deny blackListI get:Err:7 https://repos.influxdata.com/ubuntu focal InRelease
403 Forbidden [IP: 52.84.95.46 443]What I'm trying to say is with blacklist as . is blocking all https traffic even if whitelisted, is this an expected behaviour or I'm doing something wrong or it can't be done with url_regex and I should do it at backend manually.My config:#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#
# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# Setup regular listeners configuration
http_port 172.16.230.252:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 172.16.230.254:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB
sslcrtd_children 5
tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
# configure bump
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
sslproxy_cert_error deny all
acl ftp proto FTP
http_access allow ftp
# Setup ftp proxy
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
acl localnet src <net>/24 # Possible internal network (interfaces v4)
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# ACL - Allow localhost for PURGE cache if enabled
acl PURGE method PURGE
http_access allow localhost PURGE
http_access deny PURGE
# ACL lists
# ACL - Whitelist - User defined (whiteList)
acl whiteList url_regex packages\.wazuh\.com
acl whiteList url_regex archive\.ubuntu\.com
acl whiteList url_regex security\.ubuntu\.com
acl whiteList url_regex repos\.influxdata\.com
# ACL - Blacklist - User defined (blackList)
acl blackList url_regex .*
# ACL - Remote fetched Blacklist (remoteblacklist)
# ACL - Block browser/user-agent - User defined (browser)
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 443 # https
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ICAP SETTINGS
# disable icap
icap_enable off
# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf
# Authentication Settings
# ACL list (Allow) whitelist
http_access allow whiteList
#
# ACL list (Deny) blacklist
http_access deny blackList
# Google Suite Filter
# YouTube Filter
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# Auth plugins
include /usr/local/etc/squid/auth/*.conf
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
http_access allow localnet
# ACL - localhost
http_access allow localhost
# Deny all other access to this proxy
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf
# Caching settings
cache_mem 1000 MB
maximum_object_size 200 MB
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
# Linux package cache:
refresh_pattern pkg\.tar\.xz$ 0 20% 4320 refresh-ims
refresh_pattern d?rpm$ 0 20% 4320 refresh-ims
refresh_pattern deb$ 0 20% 4320 refresh-ims
refresh_pattern udeb$ 0 20% 4320 refresh-ims
refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims
refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims
refresh_pattern Release$ 0 20% 4320 refresh-ims
# http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid Options
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on
pinger_enable off
access_log stdio:/var/log/squid/access.log squid
cache_store_log stdio:/var/log/squid/store.log
# URI hanlding with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible email
cache_mgr admin@localhost.local
error_directory /usr/local/etc/squid/errors/localThanks
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
