Re: regex for normal websites

[<ngtech1ltd@xxxxxxxxx>]

OK Robert,

 

I have seen the issue you were having and indeed it’s because cloudflare understands that there is some kind of MITM in the path.

It’s good but there should be a way to allow such MITM from cloudflare side.

I believe that the cloudflare client should have the ability to allow or disallow MITM such as squid to allow caching on the path.

However in this specific case EpicGames like Microsoft transfer their actual updates over http and allow caching so it’s OK.

 

The next squid.conf is working but I have not tested it with squidGuard on.
I can test it with squidGuard next week:

## START

workers 2

 

visible_hostname can-proxy-1

forwarded_for delete

via off

host_verify_strict off

client_dst_passthru on

read_ahead_gap 64 MB

shutdown_lifetime 10 seconds

 

acl fetched_certificate transaction_initiator certificate-fetching

 

acl deny_note note verdict deny

 

acl NoBump_server_name ssl::server_name "/etc/squid/no-ssl-bump-server-name.list"

acl dst_quixel ssl::server_name .epicgames.com epicgames-download1.akamaized.net .unrealengine.com

acl dst_quixel_dstdomain dstdomain .epicgames.com epicgames-download1.akamaized.net .unrealengine.com

 

acl Bump_server_name ssl::server_name "/etc/squid/ssl-bump-server-name.list"

 

acl fetched_certificate transaction_initiator certificate-fetching

 

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

acl tls_to_splice any-of NoBump_server_name

acl tls_to_bump any-of Bump_server_name

 

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)

acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)

acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)

acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines

acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)

acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)

acl localnet src fc00::/7               # RFC 4193 local private network range

acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

 

http_access deny !Safe_ports

 

http_access deny CONNECT !SSL_ports

 

http_access allow localhost manager

http_access deny manager

 

http_access allow fetched_certificate

http_access allow localnet dst_quixel_dstdomain

 

http_access allow localnet

http_access allow localhost

 

http_access deny all

 

http_port 3128 ssl-bump dynamic_cert_mem_cache_size=16MB generate-host-certificates=on cert=/etc/squid/certs/squid-ca-cert-key.pem

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl -M 16MB

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE

 

ssl_bump peek tls_s1_connect

 

ssl_bump bump deny_note

 

ssl_bump splice dst_quixel

ssl_bump splice tls_to_splice

 

ssl_bump stare tls_s2_client_hello

 

ssl_bump bump tls_to_bump

 

strip_query_terms off

 

coredump_dir /var/spool/squid

 

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320
## END

 

Let me know if it gives enough details for you to understand how to implement this.

By the way, a great proxy config you’v got there.

 

Demo of the diff:

https://cloud1.ngtech.co.il/static/squid-data/splice-epic-games-1.mp4

 

And a support-save of the setup:

https://cloud1.ngtech.co.il/static/squid-data/support-save-2022-08-05_14-16-59.tar.gz

 

I have used latest ngtech squid5.6 rpms from my repo.

 

Let me know if you need more assistance with your setup.

 

Yours,

Eliezer

 

----

Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Web: https://ngtech.co.il/

My-Tube: https://tube.ngtech.co.il/

 

From: robert k Wild <robertkwild@xxxxxxxxx>
Sent: Friday, 5 August 2022 13:24
To: Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>
Cc: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: regex for normal websites

 

wow thanks Eliezer so much for that video, that website looks awesome, ive bookmarked it already

 

On Thu, 4 Aug 2022 at 09:59, <ngtech1ltd@xxxxxxxxx> wrote:

Hey Robert,

 

I recorded this video for you:

https://cloud1.ngtech.co.il/static/squid-data/regex-for-robert.mp4

 

This is what I did when I reviewed the question.

I hope it will help you and others use this tool:

https://rubular.com/

 

and squid.

 

If you have any question regarding REGEX here we are welcoming every question.

 

All The Bests and Hope This Helps,

Eliezer

 

 

----

Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Web: https://ngtech.co.il/

My-Tube: https://tube.ngtech.co.il/

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of robert k Wild
Sent: Wednesday, 3 August 2022 14:52
To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: regex for normal websites

 

thanks Amos for this greatly appreciated

 

On Wed, 3 Aug 2022 at 09:35, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote:

On 03.08.22 14:12, Amos Jeffries wrote:
>IMO, what you are looking for is actually this ACL definition:
>
> acl adobe ssl::server_name .adobe.com
>
>or its regex equivalent,
>
> acl adobe ssl::server_name_regex (^|\.)adobe\.com$

this is what I was searching for. Squid FAQ says:

https://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains

www.example.com matches the exact host www.example.com, while .example.com
matches the entire domain example.com (including example.com alone)


but I wasn't sure if this matching also applies to ssl::server_name.

thanks
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

--

Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

--

Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users