Search squid archive

no ssl intercept - question how it works

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi all,

before i continue, so sorry for the stupid question but trying to learn

basically heres my squid.conf

#NO SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name "/usr/local/squid/etc/nointerceptssl.txt"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"

#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"

http_reply_access allow special_url
http_reply_access deny mimetype
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"

#HTTP_HTTPS whitelist websites regex
acl whitelistreg ssl::server_name_regex "/usr/local/squid/etc/urlregwhite.txt"

http_access allow activation whitelist
http_access allow activation whitelistreg
http_access deny all

in my urlwhitelist is this

#apple app store
.p18-buy.itunes.apple.com
.gsas.apple.com
.se-edge.itunes.apple.com
.ocsp2.apple.com
.gsa.apple.com
.osxapps.itunes.apple.com
.xp.apple.com
.search.itunes.apple.com
.apptrailers-ssl.itunes.apple.com
.apptrailers.itunes.apple.com
.configuration.apple.com
.amp-api.apps.apple.com
.buy.itunes.apple.com
.api-edge.apps.apple.com
.play.itunes.apple.com
.s.mzstatic.com
.sf-api-token-service.itunes.apple.com
.apps.mzstatic.com
.init.itunes.apple.com
.bag.itunes.apple.com

in my nointerceptssl is this

#apple app store
.bag.itunes.apple.com
.apps.mzstatic.com
.play.itunes.apple.com
.api-edge.apps.apple.com
.amp-api.apps.apple.com
.xp.apple.com
.p18-buy.itunes.apple.com

i got all the urls etc looking at tail -f access.log and greping the ip and tcp denied

but when i try to load the apple app store the whitelist isnt enough, i need to add a couple of urls to the nointerceptssl

i got that list by doing the same method ie  looking at tail -f access.log and greping the ip but as ive already whitelisted the urls they all came back as none or ok instead of saying tcp denied

my question is why do i need to add some urls to the nointerceptssl and why isnt it enough just to add it to urlwhite list

rob

--
Regards,

Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux