Hey Rob, The first thing is to allow the domain in the http_acces just to be sure and use a basic deny all bottom line. Let me try to simplify your squid.conf In a link: https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e In plain text: ## START OF FILE # SSL Interception basic rules acl DiscoverSNIHost at_step SslBump1 acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$ acl NoSSLInterceptRegExFile ssl::server_name_regex "/usr/local/squid/etc/no-intercept-ssl-regex.txt" acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com acl NoSSLInterceptDstDomFile ssl::server_name "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt" ## Any of will test what ever rule match first in a first match/hit fasion acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLInterceptAnyOf ssl_bump bump all #SSL Bump port http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB ## http_access acls, will apply on incomming requests and not on responses acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/ acl special_url_regex_file url_regex "/usr/local/squid/etc/special_url_regex.txt" acl special_url_dst_dom dstdomain .redshift3d.com acl special_url_dst_dom_file dstdomain "/usr/local/squid/etc/special_url_dstdom.txt" acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file special_url_regex special_url_regex_file acl localnet src 192.168.0.0/16 acl localnet src 10.0.0.0/8 http_access allow localnet special_url_any_of http_access deny all ## END OF FILE Once the above will work try to add other http_access rule like reply access rules Let me know what happens, Eliezer From: robert k Wild <robertkwild@xxxxxxxxx> Sent: Tuesday, June 27, 2023 09:36 To: ngtech1ltd@xxxxxxxxx Cc: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Re: make URL bypass squid proxy Hi Eliezer, this is a snippet of my whitelist and no intercept SSL config #SSL Interception acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt" ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all # #SSL Bump http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB # #deny up MIME types acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt" # #deny URL links acl url_links url_regex "/usr/local/squid/etc/linksurl.txt" # #allow special URL paths acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt" # #deny down MIME types acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt" # http_reply_access allow special_url http_reply_access deny downmime #http_access deny upmime #http_access deny url_links # #HTTP_HTTPS whitelist websites acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" # http_access allow activation whitelist http_access deny all so basically no SSL interception #SSL Interception acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt" ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all and whitelisting #HTTP_HTTPS whitelist websites acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" in both txt files ie /usr/local/squid/etc/interceptssl.txt /usr/local/squid/etc/urlwhite.txt i have a URL that first i have to whitelist and then if i want squid not to inspect the url traffic i put it in the SSL interception (i do this as some websites dont like MITM ) but even putting the URL in question in both files im still having issues with this website ie its still being detected that its passing through a proxy thanks, rob On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1ltd@xxxxxxxxx> wrote: Hey Robert, I am not sure what forward proxy setup you have there. A simple forward proxy? What tool are you using for whitelisting? You can use an external acl helper to allow dynamic updates of the whitelists or to periodic update your lists and reload. It will depend on the size of your lists. What OS are you using for your squid proxy? More details will help us help you. Eliezer From: squid-users <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of robert k Wild Sent: Monday, June 26, 2023 22:25 To: Squid Users <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: make URL bypass squid proxy hi all, i have set up squid for url whitelisting and no intercept SSL (see below) https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts but some websites i want the client to bypass the squid proxy and go straight to the website as i think this is why a url isnt working even when i add the url to both files ie urlwhite and no intercept SSL thanks, rob -- Regards, Robert K Wild. -- Regards, Robert K Wild. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
