subject:"Re\: \[squid\-users\] make URL bypass squid proxy"

Re: [squid-users] make URL bypass squid proxy

2023-07-06 Thread robert k Wild

7:9D:B4:CD:13:A2:
>
> 32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
> Timestamp : Dec 14 15:34:39.124 2022 GMT
> Extensions: none
> Signature : ecdsa-with-SHA256
>
> 30:45:02:20:2C:E2:85:9C:A6:54:1B:1C:31:E5:F8:37:
>
> E9:CD:09:8B:D8:26:29:E4:C7:65:94:9C:FF:32:D2:41:
>
> CD:16:A3:51:02:21:00:A0:2F:C3:F7:A6:55:3B:21:EB:
>
> 9B:CA:6E:4E:07:A2:8C:40:4B:E2:27:D6:82:44:0F:09:
> C9:F7:7D:1B:72:6F:13
> Signature Algorithm: sha256WithRSAEncryption
>  25:bd:bb:de:57:c0:7f:07:5e:18:62:2e:0b:d3:03:54:a7:45:
>  ab:c6:1f:e2:f6:58:ff:6e:8e:6b:4f:09:9a:87:66:32:81:7f:
>  f4:35:4f:7e:65:e5:6a:04:d6:62:62:ff:d9:3a:f2:6f:19:ba:
>  fa:e6:35:0e:2a:44:5c:3b:ee:9d:97:72:05:86:0c:4c:01:c1:
>  f0:8c:21:c1:c4:84:54:d8:a8:05:25:18:72:db:f7:53:9b:f1:
>  13:d6:0b:bc:92:6e:01:e3:fd:de:a1:45:e9:29:37:e1:2e:64:
>  36:b4:4d:38:c1:60:02:6a:17:3d:87:a2:5f:33:3b:86:eb:0d:
>  cc:dd:fa:d4:43:58:50:43:e7:b7:ec:0a:4f:86:72:15:e5:30:
>  c9:bb:5f:0b:83:9c:26:6f:60:49:dd:1a:7c:92:45:45:4e:b5:
>  ce:cd:64:8c:12:83:e9:3d:5c:6b:65:97:75:99:4c:66:eb:d0:
>  3a:ca:18:62:8a:08:07:16:ab:09:66:bd:65:43:94:00:d9:79:
>  3e:84:b4:60:7d:7e:f9:09:3c:fe:2d:ad:98:94:17:0c:24:8f:
>  e1:a2:74:b6:3b:68:c0:01:f9:67:e8:b9:d2:6a:65:9e:99:a3:
>  4a:5f:39:31:ae:c1:59:02:7b:ef:db:b2:94:06:f8:1a:74:c1:
>  d7:5b:5b:6a
>
> So the DNS names it will check are:
> Subject: CN = activate.redshift3d.com
> DNS:activate.redshift3d.com, DNS:
> www.activate.redshift3d.com
>
> So to summarize the checks of ssl::server_name/ will be done on:
> * activate.redshift3d.com
> * activate.redshift3d.com
> * www.activate.redshift3d.com
>
> So . redshift3d.com ssl::server_name should match the certificate.
> If for any reason it doesn't work you can try ssl::server_name_regex with
> something like:
> (^|\.)activate\.redshift3d\.com$
>
> Or just to verify if there is a bug in squid code try:
> (^|\.)activate\.redshift3d\.com
>
> Now, the splice should be able to take into account also dstdomain and
> dstdom_regex but it should match them only if they exist in a plain text
> form like in any simple forward proxy CONNECT request.
> If for any reason it doesn’t work we should investigate what might cause
> this issue.
>
> I hope the scroll I wrote make sense to you and with hopes it will clear
> out the doubts about the wiki article you mentioned.
> I believe this is considered a summary of the subject and if Alex and
> others might think so it can be converted into an example article in the
> wiki.
>
> Let me know if this makes sense and resolve the issue.
>
> Yours,
> Eliezer
>
> From: robert k Wild 
> Sent: Thursday, June 29, 2023 12:18
> To: ngtech1...@gmail.com
> Cc: Squid Users 
> Subject: Re: [squid-users] make URL bypass squid proxy
>
> very clever, so you bunch all the acls up
>
> acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
> NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
>
> the key word is "any-of" ie if the url hits any one do that first
>
> what about instead of making it
>
> ssl::server_name_regex
>
> i make it
>
> dstdom_regex
>
> On Thu, 29 Jun 2023 at 01:38, <mailto:ngtech1...@gmail.com> wrote:
> Hey Rob,
>
> The first thing is to allow the domain in the http_acces just to be sure
> and use a basic deny all bottom line.
> Let me try to simplify your squid.conf
> In a link:
> https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e
>
> In plain text:
> ## START OF FILE
> # SSL Interception  basic rules
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
> acl NoSSLInterceptRegExFile ssl::server_name_regex
> "/usr/local/squid/etc/no-intercept-ssl-regex.txt"
>
> acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
> acl NoSSLInterceptDstDomFile ssl::server_name
> "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"
>
> ## Any of will test what ever rule match first in a first match/hit fasion
> acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
> NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
>
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLInterceptAnyOf
> ssl_bump bump all
>
> #SSL Bump port
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db

Re: [squid-users] make URL bypass squid proxy

2023-06-29 Thread ngtech1ltd

3:9c:26:6f:60:49:dd:1a:7c:92:45:45:4e:b5:
 ce:cd:64:8c:12:83:e9:3d:5c:6b:65:97:75:99:4c:66:eb:d0:
 3a:ca:18:62:8a:08:07:16:ab:09:66:bd:65:43:94:00:d9:79:
 3e:84:b4:60:7d:7e:f9:09:3c:fe:2d:ad:98:94:17:0c:24:8f:
 e1:a2:74:b6:3b:68:c0:01:f9:67:e8:b9:d2:6a:65:9e:99:a3:
 4a:5f:39:31:ae:c1:59:02:7b:ef:db:b2:94:06:f8:1a:74:c1:
 d7:5b:5b:6a

So the DNS names it will check are:
Subject: CN = activate.redshift3d.com
DNS:activate.redshift3d.com, DNS:www.activate.redshift3d.com

So to summarize the checks of ssl::server_name/ will be done on:
* activate.redshift3d.com
* activate.redshift3d.com
* www.activate.redshift3d.com

So . redshift3d.com ssl::server_name should match the certificate.
If for any reason it doesn't work you can try ssl::server_name_regex with 
something like:
(^|\.)activate\.redshift3d\.com$

Or just to verify if there is a bug in squid code try:
(^|\.)activate\.redshift3d\.com

Now, the splice should be able to take into account also dstdomain and 
dstdom_regex but it should match them only if they exist in a plain text
form like in any simple forward proxy CONNECT request.
If for any reason it doesn’t work we should investigate what might cause this 
issue.

I hope the scroll I wrote make sense to you and with hopes it will clear out 
the doubts about the wiki article you mentioned.
I believe this is considered a summary of the subject and if Alex and others 
might think so it can be converted into an example article in the wiki.

Let me know if this makes sense and resolve the issue.

Yours,
Eliezer

From: robert k Wild  
Sent: Thursday, June 29, 2023 12:18
To: ngtech1...@gmail.com
Cc: Squid Users 
Subject: Re: [squid-users] make URL bypass squid proxy

very clever, so you bunch all the acls up 

acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile 
NoSSLInterceptRegEx NoSSLInterceptRegExFile 

the key word is "any-of" ie if the url hits any one do that first

what about instead of making it 

ssl::server_name_regex 

i make it

dstdom_regex

On Thu, 29 Jun 2023 at 01:38, <mailto:ngtech1...@gmail.com> wrote:
Hey Rob,

The first thing is to allow the domain in the http_acces just to be sure and 
use a basic deny all bottom line.
Let me try to simplify your squid.conf
In a link:
https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e

In plain text:
## START OF FILE
# SSL Interception  basic rules
acl DiscoverSNIHost at_step SslBump1

acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
acl NoSSLInterceptRegExFile ssl::server_name_regex 
"/usr/local/squid/etc/no-intercept-ssl-regex.txt"

acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
acl NoSSLInterceptDstDomFile ssl::server_name 
"/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"

## Any of will test what ever rule match first in a first match/hit fasion
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile 
NoSSLInterceptRegEx NoSSLInterceptRegExFile

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLInterceptAnyOf
ssl_bump bump all

#SSL Bump port
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB

## http_access acls, will apply on incomming requests and not on responses
acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
acl special_url_regex_file url_regex 
"/usr/local/squid/etc/special_url_regex.txt"

acl special_url_dst_dom dstdomain .redshift3d.com
acl special_url_dst_dom_file dstdomain 
"/usr/local/squid/etc/special_url_dstdom.txt"

acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file 
special_url_regex special_url_regex_file

acl localnet src http://192.168.0.0/16
acl localnet src http://10.0.0.0/8

http_access allow localnet special_url_any_of
http_access deny all
## END OF FILE

 Once the above will work try to add other http_access rule like reply access 
rules

Let me know what happens,
Eliezer

From: robert k Wild <mailto:robertkw...@gmail.com> 
Sent: Tuesday, June 27, 2023 09:36
To: mailto:ngtech1...@gmail.com
Cc: Squid Users <mailto:squid-users@lists.squid-cache.org>
Subject: Re: [squid-users] make URL bypass squid proxy

Hi Eliezer,

this is a snippet of my whitelist and no intercept SSL config

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex 
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/

Re: [squid-users] make URL bypass squid proxy

2023-06-29 Thread robert k Wild

very clever, so you bunch all the acls up

acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile

the key word is "any-of" ie if the url hits any one do that first

what about instead of making it

ssl::server_name_regex

i make it

*dstdom_regex*

On Thu, 29 Jun 2023 at 01:38,  wrote:

> Hey Rob,
>
> The first thing is to allow the domain in the http_acces just to be sure
> and use a basic deny all bottom line.
> Let me try to simplify your squid.conf
> In a link:
> https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e
>
> In plain text:
> ## START OF FILE
> # SSL Interception  basic rules
> acl DiscoverSNIHost at_step SslBump1
>
> acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
> acl NoSSLInterceptRegExFile ssl::server_name_regex
> "/usr/local/squid/etc/no-intercept-ssl-regex.txt"
>
> acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
> acl NoSSLInterceptDstDomFile ssl::server_name
> "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"
>
> ## Any of will test what ever rule match first in a first match/hit fasion
> acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom
> NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
>
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLInterceptAnyOf
> ssl_bump bump all
>
> #SSL Bump port
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
>
> ## http_access acls, will apply on incomming requests and not on responses
> acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
> acl special_url_regex_file url_regex
> "/usr/local/squid/etc/special_url_regex.txt"
>
> acl special_url_dst_dom dstdomain .redshift3d.com
> acl special_url_dst_dom_file dstdomain
> "/usr/local/squid/etc/special_url_dstdom.txt"
>
> acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file
> special_url_regex special_url_regex_file
>
> acl localnet src 192.168.0.0/16
> acl localnet src 10.0.0.0/8
>
> http_access allow localnet special_url_any_of
> http_access deny all
> ## END OF FILE
>
>  Once the above will work try to add other http_access rule like reply
> access rules
>
> Let me know what happens,
> Eliezer
>
> From: robert k Wild 
> Sent: Tuesday, June 27, 2023 09:36
> To: ngtech1...@gmail.com
> Cc: Squid Users 
> Subject: Re: [squid-users] make URL bypass squid proxy
>
> Hi Eliezer,
>
> this is a snippet of my whitelist and no intercept SSL config
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
> #
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #
> #deny up MIME types
> acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> #deny URL links
> acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
> #
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
> #
> #deny down MIME types
> acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> http_reply_access allow special_url
> http_reply_access deny downmime
> #http_access deny upmime
> #http_access deny url_links
> #
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
> #
> http_access allow activation whitelist
> http_access deny all
>
> so basically no SSL interception
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> and whitelisting
>
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
>
> in both txt files ie
>
> /usr/local/squid/etc/interceptssl.txt
> /usr/local/squid/etc/urlwhite.txt
>
> i have a URL that first i have to whitelist and then if i want squid not
> to inspect the url traffic i put it in the SSL interception (i do this as
> some websites dont like MITM )
>
&

Re: [squid-users] make URL bypass squid proxy

2023-06-28 Thread ngtech1ltd

Hey Rob,

The first thing is to allow the domain in the http_acces just to be sure and 
use a basic deny all bottom line.
Let me try to simplify your squid.conf
In a link:
https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e

In plain text:
## START OF FILE
# SSL Interception  basic rules
acl DiscoverSNIHost at_step SslBump1

acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
acl NoSSLInterceptRegExFile ssl::server_name_regex 
"/usr/local/squid/etc/no-intercept-ssl-regex.txt"

acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
acl NoSSLInterceptDstDomFile ssl::server_name 
"/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"

## Any of will test what ever rule match first in a first match/hit fasion
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile 
NoSSLInterceptRegEx NoSSLInterceptRegExFile

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLInterceptAnyOf
ssl_bump bump all

#SSL Bump port
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB

## http_access acls, will apply on incomming requests and not on responses
acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
acl special_url_regex_file url_regex 
"/usr/local/squid/etc/special_url_regex.txt"

acl special_url_dst_dom dstdomain .redshift3d.com
acl special_url_dst_dom_file dstdomain 
"/usr/local/squid/etc/special_url_dstdom.txt"

acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file 
special_url_regex special_url_regex_file

acl localnet src 192.168.0.0/16
acl localnet src 10.0.0.0/8

http_access allow localnet special_url_any_of
http_access deny all
## END OF FILE

 Once the above will work try to add other http_access rule like reply access 
rules

Let me know what happens,
Eliezer

From: robert k Wild  
Sent: Tuesday, June 27, 2023 09:36
To: ngtech1...@gmail.com
Cc: Squid Users 
Subject: Re: [squid-users] make URL bypass squid proxy

Hi Eliezer,

this is a snippet of my whitelist and no intercept SSL config

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex 
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all

so basically no SSL interception

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex 
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all 

and whitelisting

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" 

in both txt files ie

/usr/local/squid/etc/interceptssl.txt 
/usr/local/squid/etc/urlwhite.txt 

i have a URL that first i have to whitelist and then if i want squid not to 
inspect the url traffic i put it in the SSL interception (i do this as some 
websites dont like MITM )

but even putting the URL in question in both files im still having issues with 
this website ie its still being detected that its passing through a proxy

thanks,
rob

On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1...@gmail.com> wrote:
Hey Robert,
 
I am not sure what forward proxy setup you have there.
A simple forward proxy?
What tool are you using for whitelisting?
You can use an external acl helper to allow dynamic updates of the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?
 
More details will help us help you.
 
Eliezer
 
From: squid-users <mailto:squid-users-boun...@lists.squid-cache.org> On Behalf 
Of robert k Wild
Sent: Monday, June 26, 2023 22:25
To: Squid Users <mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] make URL bypass squid proxy
 
hi all,
 
i have set up squid for url whitelisting and no intercept SSL (see below)

Re: [squid-users] make URL bypass squid proxy

2023-06-27 Thread Alex Rousskov


On 6/27/23 16:29, robert k Wild wrote:
Ok I've literally commented out "http deny all" so the proxy isn't 
blocking anything and allowing everything


http_access allow activation whitelist
#http_access deny all

And still it's not allowing this specific URL to go through the proxy

activate.redshift3d.com 

Well it is but it isn't, as it's an activation URL it isn't activating 
the app via the proxy, as soon as I pop the pc on the internet, it 
activates the app


Any ideas guys?


If you have not already, restore the "deny all" rule and make sure that 
everything works if you do not bump traffic. Use just "http_port 3128" 
if you have to, without the ssl-bump flag and related ssl_bump rules.


Once the above is working, I would check whether your app trusts your CA 
certificate (/usr/local/squid/etc/ssl_cert/myCA.pem). If you have not 
done anything about that trust on the app side, then that app will not 
trust it, and all bumped transactions will fail because the app will 
refuse to receive TLS traffic related to that certificate.


Add %err_code/%err_detail fields to your access.log using the logformat 
and access_log directives. They may help identify failed transactions.



HTH,

Alex.


On Tue, 27 Jun 2023, 07:36 robert k Wild, > wrote:


Hi Eliezer,

this is a snippet of my whitelist and no intercept SSL config

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all

so basically no SSL interception

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

and whitelisting

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex
"/usr/local/squid/etc/urlwhite.txt"

in both txt files ie

/usr/local/squid/etc/interceptssl.txt
/usr/local/squid/etc/urlwhite.txt

i have a URL that first i have to whitelist and then if i want squid
not to inspect the url traffic i put it in the SSL interception (i
do this as some websites dont like MITM )

but even putting the URL in question in both files im still having
issues with this website ie its still being detected that its
passing through a proxy

thanks,
rob

On Mon, 26 Jun 2023 at 23:35, mailto:ngtech1...@gmail.com>> wrote:

Hey Robert,

__ __

I am not sure what forward proxy setup you have there.

A simple forward proxy?

What tool are you using for whitelisting?

You can use an external acl helper to allow dynamic updates of
the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?

__ __

More details will help us help you.

__ __

Eliezer

__ __

*From:*squid-users mailto:squid-users-boun...@lists.squid-cache.org>> *On Behalf
Of *robert k Wild
*Sent:* Monday, June 26, 2023 22:25
*To:* Squid Users mailto:squid-users@lists.squid-cache.org>>
*Subject:* [squid-users] make URL bypass squid proxy

__ __

hi all,

__ __

i have set up squid for url whitelisting and no intercept SSL
(see below)

__ __

https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts 


__ __

but some websites i want the client to bypass the squid proxy
and go straight to the website as i think this is why a url isnt
working even when i add the url to both files

Re: [squid-users] make URL bypass squid proxy

2023-06-27 Thread robert k Wild

Ok I've literally commented out "http deny all" so the proxy isn't blocking
anything and allowing everything

http_access allow activation whitelist
#http_access deny all

And still it's not allowing this specific URL to go through the proxy

activate.redshift3d.com

Well it is but it isn't, as it's an activation URL it isn't activating the
app via the proxy, as soon as I pop the pc on the internet, it activates
the app

Any ideas guys?

Thanks,
Rob

On Tue, 27 Jun 2023, 07:36 robert k Wild,  wrote:

> Hi Eliezer,
>
> this is a snippet of my whitelist and no intercept SSL config
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
> #
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #
> #deny up MIME types
> acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> #deny URL links
> acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
> #
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
> #
> #deny down MIME types
> acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> #
> http_reply_access allow special_url
> http_reply_access deny downmime
> #http_access deny upmime
> #http_access deny url_links
> #
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
> #
> http_access allow activation whitelist
> http_access deny all
>
> so basically no SSL interception
>
> #SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/interceptssl.txt"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> and whitelisting
>
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
>
> in both txt files ie
>
> /usr/local/squid/etc/interceptssl.txt
> /usr/local/squid/etc/urlwhite.txt
>
> i have a URL that first i have to whitelist and then if i want squid not
> to inspect the url traffic i put it in the SSL interception (i do this as
> some websites dont like MITM )
>
> but even putting the URL in question in both files im still having issues
> with this website ie its still being detected that its passing through a
> proxy
>
> thanks,
> rob
>
> On Mon, 26 Jun 2023 at 23:35,  wrote:
>
>> Hey Robert,
>>
>>
>>
>> I am not sure what forward proxy setup you have there.
>>
>> A simple forward proxy?
>>
>> What tool are you using for whitelisting?
>>
>> You can use an external acl helper to allow dynamic updates of the
>> whitelists or
>> to periodic update your lists and reload.
>> It will depend on the size of your lists.
>> What OS are you using for your squid proxy?
>>
>>
>>
>> More details will help us help you.
>>
>>
>>
>> Eliezer
>>
>>
>>
>> *From:* squid-users  *On
>> Behalf Of *robert k Wild
>> *Sent:* Monday, June 26, 2023 22:25
>> *To:* Squid Users 
>> *Subject:* [squid-users] make URL bypass squid proxy
>>
>>
>>
>> hi all,
>>
>>
>>
>> i have set up squid for url whitelisting and no intercept SSL (see below)
>>
>>
>>
>> https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
>>
>>
>>
>> but some websites i want the client to bypass the squid proxy and go
>> straight to the website as i think this is why a url isnt working even when
>> i add the url to both files ie urlwhite and no intercept SSL
>>
>>
>>
>>
>>
>>
>>
>> thanks,
>>
>> rob
>>
>>
>> --
>>
>> Regards,
>>
>> Robert K Wild.
>>
>
>
> --
> Regards,
>
> Robert K Wild.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] make URL bypass squid proxy

2023-06-26 Thread robert k Wild

 Hi Eliezer,

this is a snippet of my whitelist and no intercept SSL config

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all

so basically no SSL interception

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

and whitelisting

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"

in both txt files ie

/usr/local/squid/etc/interceptssl.txt
/usr/local/squid/etc/urlwhite.txt

i have a URL that first i have to whitelist and then if i want squid not to
inspect the url traffic i put it in the SSL interception (i do this as some
websites dont like MITM )

but even putting the URL in question in both files im still having issues
with this website ie its still being detected that its passing through a
proxy

thanks,
rob

On Mon, 26 Jun 2023 at 23:35,  wrote:

> Hey Robert,
>
>
>
> I am not sure what forward proxy setup you have there.
>
> A simple forward proxy?
>
> What tool are you using for whitelisting?
>
> You can use an external acl helper to allow dynamic updates of the
> whitelists or
> to periodic update your lists and reload.
> It will depend on the size of your lists.
> What OS are you using for your squid proxy?
>
>
>
> More details will help us help you.
>
>
>
> Eliezer
>
>
>
> *From:* squid-users  *On
> Behalf Of *robert k Wild
> *Sent:* Monday, June 26, 2023 22:25
> *To:* Squid Users 
> *Subject:* [squid-users] make URL bypass squid proxy
>
>
>
> hi all,
>
>
>
> i have set up squid for url whitelisting and no intercept SSL (see below)
>
>
>
> https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
>
>
>
> but some websites i want the client to bypass the squid proxy and go
> straight to the website as i think this is why a url isnt working even when
> i add the url to both files ie urlwhite and no intercept SSL
>
>
>
>
>
>
>
> thanks,
>
> rob
>
>
> --
>
> Regards,
>
> Robert K Wild.
>


-- 
Regards,

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] make URL bypass squid proxy

2023-06-26 Thread ngtech1ltd

Hey Robert,
 
I am not sure what forward proxy setup you have there.
A simple forward proxy?
What tool are you using for whitelisting?
You can use an external acl helper to allow dynamic updates of the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?
 
More details will help us help you.
 
Eliezer
 
From: squid-users  On Behalf Of 
robert k Wild
Sent: Monday, June 26, 2023 22:25
To: Squid Users 
Subject: [squid-users] make URL bypass squid proxy
 
hi all,
 
i have set up squid for url whitelisting and no intercept SSL (see below)
 
https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
 
but some websites i want the client to bypass the squid proxy and go straight 
to the website as i think this is why a url isnt working even when i add the 
url to both files ie urlwhite and no intercept SSL
 
 
 
thanks,
rob

-- 
Regards, 

Robert K Wild.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

Re: [squid-users] make URL bypass squid proxy

8 matches

Site Navigation

Mail list logo

Footer information