hi all,
before i continue, so sorry for the stupid question but trying to learn
basically heres my squid.conf
#NO SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointerceptssl.txt"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access allow special_url
http_reply_access deny mimetype
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
#HTTP_HTTPS whitelist websites regex
acl whitelistreg ssl::server_name_regex "/usr/local/squid/etc/urlregwhite.txt"
http_access allow activation whitelist
http_access allow activation whitelistreg
http_access deny all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointerceptssl.txt"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access allow special_url
http_reply_access deny mimetype
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
#HTTP_HTTPS whitelist websites regex
acl whitelistreg ssl::server_name_regex "/usr/local/squid/etc/urlregwhite.txt"
http_access allow activation whitelist
http_access allow activation whitelistreg
http_access deny all
in my urlwhitelist is this
#apple app store
.p18-buy.itunes.apple.com
.gsas.apple.com
.se-edge.itunes.apple.com
.ocsp2.apple.com
.gsa.apple.com
.osxapps.itunes.apple.com
.xp.apple.com
.search.itunes.apple.com
.apptrailers-ssl.itunes.apple.com
.apptrailers.itunes.apple.com
.configuration.apple.com
.amp-api.apps.apple.com
.buy.itunes.apple.com
.api-edge.apps.apple.com
.play.itunes.apple.com
.s.mzstatic.com
.sf-api-token-service.itunes.apple.com
.apps.mzstatic.com
.init.itunes.apple.com
.bag.itunes.apple.com
.p18-buy.itunes.apple.com
.gsas.apple.com
.se-edge.itunes.apple.com
.ocsp2.apple.com
.gsa.apple.com
.osxapps.itunes.apple.com
.xp.apple.com
.search.itunes.apple.com
.apptrailers-ssl.itunes.apple.com
.apptrailers.itunes.apple.com
.configuration.apple.com
.amp-api.apps.apple.com
.buy.itunes.apple.com
.api-edge.apps.apple.com
.play.itunes.apple.com
.s.mzstatic.com
.sf-api-token-service.itunes.apple.com
.apps.mzstatic.com
.init.itunes.apple.com
.bag.itunes.apple.com
in my nointerceptssl is this
#apple app store
.bag.itunes.apple.com
.apps.mzstatic.com
.play.itunes.apple.com
.api-edge.apps.apple.com
.amp-api.apps.apple.com
.xp.apple.com
.p18-buy.itunes.apple.com
.bag.itunes.apple.com
.apps.mzstatic.com
.play.itunes.apple.com
.api-edge.apps.apple.com
.amp-api.apps.apple.com
.xp.apple.com
.p18-buy.itunes.apple.com
i got all the urls etc looking at tail -f access.log and greping the ip and tcp denied
but when i try to load the apple app store the whitelist isnt enough, i need to add a couple of urls to the nointerceptssl
i got that list by doing the same method ie
looking at tail -f access.log and greping the ip but as ive already whitelisted the urls they all came back as none or ok instead of saying tcp denied
my question is why do i need to add some urls to the nointerceptssl and why isnt it enough just to add it to urlwhite list
rob
--
Regards,
Robert K Wild.
Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
