On 6/27/23 16:29, robert k Wild wrote:
Ok I've literally commented out "http deny all" so the proxy isn't
blocking anything and allowing everything
http_access allow activation whitelist
#http_access deny all
And still it's not allowing this specific URL to go through the proxy
activate.redshift3d.com <http://activate.redshift3d.com>
Well it is but it isn't, as it's an activation URL it isn't activating
the app via the proxy, as soon as I pop the pc on the internet, it
activates the app
Any ideas guys?
If you have not already, restore the "deny all" rule and make sure that
everything works if you do not bump traffic. Use just "http_port 3128"
if you have to, without the ssl-bump flag and related ssl_bump rules.
Once the above is working, I would check whether your app trusts your CA
certificate (/usr/local/squid/etc/ssl_cert/myCA.pem). If you have not
done anything about that trust on the app side, then that app will not
trust it, and all bumped transactions will fail because the app will
refuse to receive TLS traffic related to that certificate.
Add %err_code/%err_detail fields to your access.log using the logformat
and access_log directives. They may help identify failed transactions.
HTH,
Alex.
On Tue, 27 Jun 2023, 07:36 robert k Wild, <robertkwild@xxxxxxxxx
<mailto:robertkwild@xxxxxxxxx>> wrote:
Hi Eliezer,
this is a snippet of my whitelist and no intercept SSL config
#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all
so basically no SSL interception
#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
and whitelisting
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex
"/usr/local/squid/etc/urlwhite.txt"
in both txt files ie
/usr/local/squid/etc/interceptssl.txt
/usr/local/squid/etc/urlwhite.txt
i have a URL that first i have to whitelist and then if i want squid
not to inspect the url traffic i put it in the SSL interception (i
do this as some websites dont like MITM )
but even putting the URL in question in both files im still having
issues with this website ie its still being detected that its
passing through a proxy
thanks,
rob
On Mon, 26 Jun 2023 at 23:35, <ngtech1ltd@xxxxxxxxx
<mailto:ngtech1ltd@xxxxxxxxx>> wrote:
Hey Robert,____
__ __
I am not sure what forward proxy setup you have there.____
A simple forward proxy?____
What tool are you using for whitelisting?____
You can use an external acl helper to allow dynamic updates of
the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?____
__ __
More details will help us help you.____
__ __
Eliezer____
__ __
*From:*squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>> *On Behalf
Of *robert k Wild
*Sent:* Monday, June 26, 2023 22:25
*To:* Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
*Subject:* make URL bypass squid proxy____
__ __
hi all,____
__ __
i have set up squid for url whitelisting and no intercept SSL
(see below)____
__ __
https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts <https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts>____
__ __
but some websites i want the client to bypass the squid proxy
and go straight to the website as i think this is why a url isnt
working even when i add the url to both files ie urlwhite and no
intercept SSL____
__ __
__ __
__ __
thanks,____
rob____
-- ____
Regards,
Robert K Wild.____
--
Regards,
Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
