Try adding acl step1 at_step SslBump1 ssl_bump peek step1 bump_sites This worked for me. Just a suggestion:)
On Thu, Feb 11, 2016 at 3:59 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 11/02/2016 1:05 p.m., Victor Hugo wrote: > > Hi, > > > > I was wondering if it is possible to filter HTTPS URLs using squid (for > > example to blacklist reddit.com but allow https://www.reddit.com/r/news/ > )? > > > > I thought this may be possible using ssl_bump and url_regex. I have been > > trying this using squid 3.5.13 but with no success. > > > > Here is the squid configuration that I have tried but doesn't seem to > work > > (it works for http sites though): > > > > <snip> > > > > acl whitelist-regex url_regex -i reddit.com/r/news > > http_port 3129 ssl-bump > cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > acl bump_sites ssl::server_name .reddit.com > > ssl_bump bump bump_sites > > ssl_bump splice !bump_sites > > http_access allow whitelist-regex > > http_access allow localhost > > http_access deny all > > > Relevant access.log output (IP addresses redacted to x.x.x.x): > > 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT > www.reddit.com:443 - > > HIER_NONE/- - > > So this is the bump happening, as you wanted. > > > 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET > > https://www.reddit.com/r/news - HIER_NONE/- text/html > > And something else has 403 (Forbidden) the request. Your ACL and > http_access config looks fine. So I dont think its that. > > > The first oddity is that your ssl_bump rules are doing bump without > having fetched the clientHello details yet. So this is a "client-first" > bumping situation in which Squid first negotiates TLS / HTTPS with the > client, then completely separately negotiates TLS/HTTPS with the server. > - any errors in the server TLS might result in something like this 403 > (though it should be a 5xx status, it may not always be). > - the sslproxy_* settings are entirely what controls the server > connection TLS. > > > Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT > actions. This could be a logging bug, or a sign of something going wrong > in the bumping stage that alters the CONNECT logging as well. > > > Are you able to experiment with using the Squid-4.0.5 release? there are > some bumping bug fixes that are only in that release series. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users