On 11/08/21 4:56 am, robert k Wild wrote:
hi all,
before i continue, so sorry for the stupid question but trying to learn
basically heres my squid.conf
#NO SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name
"/usr/local/squid/etc/nointerceptssl.txt"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
Note:
You already have ssl_bump rules above which either splice or bump at
step 1. These following ssl_bump rule either never get reached, or are
already known impossible to perform if they do get reached.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access allow special_url
http_reply_access deny mimetype
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
#HTTP_HTTPS whitelist websites regex
acl whitelistreg ssl::server_name_regex
"/usr/local/squid/etc/urlregwhite.txt"
http_access allow activation whitelist
http_access allow activation whitelistreg
http_access deny all
in my urlwhitelist is this
...
in my nointerceptssl is this
...
i got all the urls etc looking at tail -f access.log and greping the ip
and tcp denied
but when i try to load the apple app store the whitelist isnt enough, i
need to add a couple of urls to the nointerceptssl
i got that list by doing the same method ie looking at tail -f
access.log and greping the ip but as ive already whitelisted the urls
they all came back as none or ok instead of saying tcp denied
my question is why do i need to add some urls to the nointerceptssl and
why isnt it enough just to add it to urlwhite list
Because you are using those ACLs exclusively for very different things.
- "whitelist" is being exclusively used to check URI domains found in
HTTP messages (http_access). Where "server name" is the CONNECT tunnel
authority name or IPs reverse-DNS name, or decrypted https:// URL
domain. It has nothing to do with the TLS handshake activity.
- "NoSSLIntercept" is being exclusively used for TLS handshake
decisions (ssl_bump). Where "server name" is the CONNECT tunnel
authority name or raw-IP, TLS SNI, or server certificate altSubjectName.
You could use whitelist ACL in ssl_bump checks instead of
NoSSLIntercept. At which point the ACL is now being used for both sets
of checks and decisions.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
