Hi, I'm trying to use Opnsense built-in squid config to set up a transparent proxy for server updates and block everything else. In GUI they use url_regex for whitelist and blacklist, when I simple per domain whitelist and blacklist it's working as expected, e.g. # ACL - Whitelist - User defined (whiteList) acl whiteList url_regex archive\.ubuntu\.com # ACL - Blacklist - User defined (blackList) acl blackList url_regex packages\.gitlab\.com # ACL list (Allow) whitelist http_access allow whiteList # ACL list (Deny) blacklist http_access deny blackList
However, when I do wildcard in blacklist I also get all https domain blocked even when I've tried to explicitly allow it with https://archive\.ubuntu\.com , e.g. # ACL - Whitelist - User defined (whiteList) acl whiteList url_regex archive\.ubuntu\.com # ACL - Blacklist - User defined (blackList) acl blackList url_regex .* # ACL list (Allow) whitelist http_access allow whiteList # ACL list (Deny) blacklist http_access deny blackList I get: Err:7 https://repos.influxdata.com/ubuntu focal InRelease 403 Forbidden [IP: 52.84.95.46 443] What I'm trying to say is with blacklist as . is blocking all https traffic even if whitelisted, is this an expected behaviour or I'm doing something wrong or it can't be done with url_regex and I should do it at backend manually. My config: # # Automatic generated configuration for Squid. # Do not edit this file manually. # # Setup transparent mode listeners on loopback interfaces http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on # Setup regular listeners configuration http_port 172.16.230.252:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on http_port 172.16.230.254:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on # setup ssl re-cert sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB sslcrtd_children 5 tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS # setup ssl bump acl's acl bump_step1 at_step SslBump1 acl bump_step2 at_step SslBump2 acl bump_step3 at_step SslBump3 acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl" # configure bump ssl_bump peek bump_step1 all ssl_bump peek bump_step2 bump_nobumpsites ssl_bump splice bump_step3 bump_nobumpsites ssl_bump stare bump_step2 ssl_bump bump bump_step3 sslproxy_cert_error deny all acl ftp proto FTP http_access allow ftp # Setup ftp proxy # Rules allowing access from your local networks. # Generated list of (internal) IP networks from where browsing # should be allowed. (Allow interface subnets). acl localnet src <net>/24 # Possible internal network (interfaces v4) # Default allow for local-link and private networks acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines # ACL - Allow localhost for PURGE cache if enabled acl PURGE method PURGE http_access allow localhost PURGE http_access deny PURGE # ACL lists # ACL - Whitelist - User defined (whiteList) acl whiteList url_regex packages\.wazuh\.com acl whiteList url_regex archive\.ubuntu\.com acl whiteList url_regex security\.ubuntu\.com acl whiteList url_regex repos\.influxdata\.com # ACL - Blacklist - User defined (blackList) acl blackList url_regex .* # ACL - Remote fetched Blacklist (remoteblacklist) # ACL - Block browser/user-agent - User defined (browser) # ACL - SSL ports, default are configured in config.xml # Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!): acl SSL_ports port 443 # https # Default Safe ports are now defined in config.xml # Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!): # ACL - Safe_ports acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # ICAP SETTINGS # disable icap icap_enable off # Pre-auth plugins include /usr/local/etc/squid/pre-auth/*.conf # Authentication Settings # ACL list (Allow) whitelist http_access allow whiteList # # ACL list (Deny) blacklist http_access deny blackList # Google Suite Filter # YouTube Filter # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # Auth plugins include /usr/local/etc/squid/auth/*.conf # # Access Permission configuration: # # Deny request from unauthorized clients # # ACL - localnet - default these include ranges from selected interfaces (Allow local subnets) http_access allow localnet # ACL - localhost http_access allow localhost # Deny all other access to this proxy http_access deny all # Post-auth plugins include /usr/local/etc/squid/post-auth/*.conf # Caching settings cache_mem 1000 MB maximum_object_size 200 MB cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 100000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # # Add any of your own refresh_pattern entries above these. # # Linux package cache: refresh_pattern pkg\.tar\.xz$ 0 20% 4320 refresh-ims refresh_pattern d?rpm$ 0 20% 4320 refresh-ims refresh_pattern deb$ 0 20% 4320 refresh-ims refresh_pattern udeb$ 0 20% 4320 refresh-ims refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims refresh_pattern Release$ 0 20% 4320 refresh-ims # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Squid Options # dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first dns_v4_first on pinger_enable off access_log stdio:/var/log/squid/access.log squid cache_store_log stdio:/var/log/squid/store.log # URI hanlding with Whitespaces (default=strip) uri_whitespace strip # X-Forwarded header handling (default=on) forwarded_for on # Disable squid logfile rotate to use system defaults logfile_rotate 0 # Define visible email cache_mgr admin@localhost.local error_directory /usr/local/etc/squid/errors/local Thanks
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users