I do not think this solution is correct.
The SSL_Ports ACL should already contain "443". So the traffic was
**not** being blocked by this line:
"deny CONNECT !SSL_Ports"
AFAICS the lack of URL-path details on the CONNECT request was failing
to match the urlpath_regex ACL.
FYI;
While most of the time we think of Squid access controls as boolean
conditions, they actually have a tri-state logic (allow, deny, skip).
One option here instead of requiring that path to exist (allow X), is to
reject invalid paths (deny !X). Like so:
http_access deny src !path
.. in which case the other access controls later will handle the CONNECT
requests.
Another option is to allow all CONNECT attempts from the given client.
Like this:
http_access deny CONNECT !Safe_ports
http_access allow CONNECT src
.. in which case you rely on the ssl_bump rules to correctly handle the
CONNECT, and http_access to correctly handle the decrypted traffic.
Amos
On 25/02/25 06:22, BOISIAUD Jean-Yves wrote:
Solution:
It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way.
Directive is too restrictive:
http_access deny CONNECT !SSL_ports
It works now with:
http_access allow CONNECT safe_ports
where safe ports are:
80, 443, 1025-65535 (maybe too large)
------------------------------------------------------------------------
*De :* squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> de la
part de BOISIAUD Jean-Yves <jyboisiaud-ext@xxxxxxxxxxx>
*Envoyé :* lundi 24 février 2025 16:38
*À :* squid-users@xxxxxxxxxxxxxxxxxxxxx
*Objet :* ssl-bump with url_regex
Hello,
I am using Squid 5.7 on a Debian 12 system.
I would like to grant only some given URL path for a site using HTTPS.
For example, in the following configuration:
...
http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
cert=/etc/squid/certs/signingCA.crt \
key=/etc/squid/certs/signingCA.key \
tls-cafile=/etc/squid/certs/chain.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=20MB \
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
options=NO_TLSv1,NO_SSLv3 \
tls-dh=prime256v1:/etc/squid/certs/dhparam.pem
acl intermediate_fetching transaction_initiator certificate-fetching
acl SSLBumpSites ssl::server_name www.example.com <http://www.example.com>
acl server src 192.168.1.1
acl path urlpath_regex ^/valid_path/$
...
http_access allow src path
...
ssl_bump peek all
ssl_bump bump SSLBumpSites
ssl_bump slice all
http_access deny all
cache deny all
Works with http (curl http://www.example.com <http://www.example.com>/
valid_path/):
- TCP_MISS/200 467686 GET http://www.example.com/valid_path/ -
HIER_DIRECT/151.101.122.132
Does not work with HTTPS (curl https://www.example.com/valid_path/
<https://www.example.com/valid_path/>):
- TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
- NONE_NONE/403 3894 GET https://www.example.com/valid_path/ -
HIER_NONE/- text/html -
Other https requests work fine:
- TCP_TUNNEL/200 - splice
What is wrong in my configuration ?
Thank you for your help.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
