|
Solution:
It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way.
Directive is too restrictive: http_access deny CONNECT !SSL_ports
It works now with:
http_access allow CONNECT safe_ports
where safe ports are:
80, 443, 1025-65535 (maybe too large)
De : squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> de la part de BOISIAUD Jean-Yves <jyboisiaud-ext@xxxxxxxxxxx>
Envoyé : lundi 24 février 2025 16:38 À : squid-users@xxxxxxxxxxxxxxxxxxxxx Objet : ssl-bump with url_regex Hello,
I am using Squid 5.7 on a Debian 12 system.
I would like to grant only some given URL path for a site using HTTPS.
For example, in the following configuration: ... http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
cert=/etc/squid/certs/signingCA.crt \ key=/etc/squid/certs/signingCA.key \ tls-cafile=/etc/squid/certs/chain.pem \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=20MB \ cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \ options=NO_TLSv1,NO_SSLv3 \ tls-dh=prime256v1:/etc/squid/certs/dhparam.pem acl intermediate_fetching transaction_initiator certificate-fetching acl SSLBumpSites ssl::server_name
www.example.com acl server src 192.168.1.1 acl path urlpath_regex ^/valid_path/$ ... http_access allow src path ... ssl_bump peek all
ssl_bump bump SSLBumpSites ssl_bump slice all http_access deny all cache deny all Works with http (curl
http://www.example.com/valid_path/):
- TCP_MISS/200 467686 GET http://www.example.com/valid_path/ - HIER_DIRECT/151.101.122.132
Does not work with HTTPS (curl
https://www.example.com/valid_path/):
- TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
- NONE_NONE/403 3894 GET https://www.example.com/valid_path/ - HIER_NONE/- text/html -
Other https requests work fine:
- TCP_TUNNEL/200 - splice
What is wrong in my configuration ?
Thank you for your help. |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
