Dear Alex. Thank you for your advice! >Do you run these "curl" commands on the same box that runs Squid? No, we have a Squid validation environment on an AWS EC2 instance, and the instance for Squid and the instance for running curl commands are separate. >However, you may want to double check whether rejecting requests with an >empty Host header is actually necessary in your environment. Perhaps >they can be considered valid (which is what Squid does by default)? Thank you. Indeed we do not want to explicitly reject empty Host headers, we just want to reject malformed requests. Therefore, we will not add an explicit rejection setting. >I recommend deleting the above http_access rule. AFAICT, you only want >to allow valid requests targeting specific/allowed sites. You already >have other rules for that. The above "all HTTPS" rule is too broad and >is seemingly unnecessary. >I also recommend deleting a similar rule that allows all port-80 >requests, for similar reasons: > acl http_port port 80 > http_access allow http_port >If you think you do need those two broad rules, please clarify what you >think you need them for. In other words, what tests would break if you >remove them? I did not need these rules, so I removed them and verified STEP 2 again and everything passed! Thank you so much for your help!! We then added the following settings that were in the existing Squid proxy *The entire configuration is attached to this email. # SSL_BUMP acl allowed_https_sites ssl::server_name "/etc/squid/whitelist" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent_https" sslcrtd_program [sslcrtd-program-setting] acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 allowed_https_sites ssl_bump splice step3 allowed_https_sites ssl_bump terminate step2 all Then I verified the 4 patterns again and all of them gave me 403 Forbidden... Even the following pattern which is allowed in whitelist. > 1. successful communication of a valid request to an allowed site > [command] > curl https://pypi.org/ -v --cacert squid.crt -k After checking access-transparent.log and cache.log, it appears that pypi.org is comparing inspections by IP and not by domain. How do I modify the configuration to allow this correctly by domain? Also, to begin with, these settings follow the existing squid proxy created by my predecessor, so I don't know what they are for... What are the disadvantages of removing these settings? Thank you in advance.
Attachment:
squid-transparent.conf
Description: Binary data
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
