very clever, so you bunch all the acls up acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
the key word is "any-of" ie if the url hits any one do that first what about instead of making it ssl::server_name_regex i make it *dstdom_regex* On Thu, 29 Jun 2023 at 01:38, <ngtech1...@gmail.com> wrote: > Hey Rob, > > The first thing is to allow the domain in the http_acces just to be sure > and use a basic deny all bottom line. > Let me try to simplify your squid.conf > In a link: > https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e > > In plain text: > ## START OF FILE > # SSL Interception basic rules > acl DiscoverSNIHost at_step SslBump1 > > acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$ > acl NoSSLInterceptRegExFile ssl::server_name_regex > "/usr/local/squid/etc/no-intercept-ssl-regex.txt" > > acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com > acl NoSSLInterceptDstDomFile ssl::server_name > "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt" > > ## Any of will test what ever rule match first in a first match/hit fasion > acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom > NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile > > ssl_bump peek DiscoverSNIHost > ssl_bump splice NoSSLInterceptAnyOf > ssl_bump bump all > > #SSL Bump port > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > /var/lib/ssl_db -M 4MB > > ## http_access acls, will apply on incomming requests and not on responses > acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/ > acl special_url_regex_file url_regex > "/usr/local/squid/etc/special_url_regex.txt" > > acl special_url_dst_dom dstdomain .redshift3d.com > acl special_url_dst_dom_file dstdomain > "/usr/local/squid/etc/special_url_dstdom.txt" > > acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file > special_url_regex special_url_regex_file > > acl localnet src 192.168.0.0/16 > acl localnet src 10.0.0.0/8 > > http_access allow localnet special_url_any_of > http_access deny all > ## END OF FILE > > Once the above will work try to add other http_access rule like reply > access rules > > Let me know what happens, > Eliezer > > From: robert k Wild <robertkw...@gmail.com> > Sent: Tuesday, June 27, 2023 09:36 > To: ngtech1...@gmail.com > Cc: Squid Users <squid-users@lists.squid-cache.org> > Subject: Re: [squid-users] make URL bypass squid proxy > > Hi Eliezer, > > this is a snippet of my whitelist and no intercept SSL config > > #SSL Interception > acl DiscoverSNIHost at_step SslBump1 > acl NoSSLIntercept ssl::server_name_regex > "/usr/local/squid/etc/interceptssl.txt" > ssl_bump peek DiscoverSNIHost > ssl_bump splice NoSSLIntercept > ssl_bump bump all > # > #SSL Bump > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > /var/lib/ssl_db -M 4MB > # > #deny up MIME types > acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt" > # > #deny URL links > acl url_links url_regex "/usr/local/squid/etc/linksurl.txt" > # > #allow special URL paths > acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt" > # > #deny down MIME types > acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt" > # > http_reply_access allow special_url > http_reply_access deny downmime > #http_access deny upmime > #http_access deny url_links > # > #HTTP_HTTPS whitelist websites > acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" > # > http_access allow activation whitelist > http_access deny all > > so basically no SSL interception > > #SSL Interception > acl DiscoverSNIHost at_step SslBump1 > acl NoSSLIntercept ssl::server_name_regex > "/usr/local/squid/etc/interceptssl.txt" > ssl_bump peek DiscoverSNIHost > ssl_bump splice NoSSLIntercept > ssl_bump bump all > > and whitelisting > > #HTTP_HTTPS whitelist websites > acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" > > in both txt files ie > > /usr/local/squid/etc/interceptssl.txt > /usr/local/squid/etc/urlwhite.txt > > i have a URL that first i have to whitelist and then if i want squid not > to inspect the url traffic i put it in the SSL interception (i do this as > some websites dont like MITM ) > > but even putting the URL in question in both files im still having issues > with this website ie its still being detected that its passing through a > proxy > > thanks, > rob > > On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1...@gmail.com> wrote: > Hey Robert, > > I am not sure what forward proxy setup you have there. > A simple forward proxy? > What tool are you using for whitelisting? > You can use an external acl helper to allow dynamic updates of the > whitelists or > to periodic update your lists and reload. > It will depend on the size of your lists. > What OS are you using for your squid proxy? > > More details will help us help you. > > Eliezer > > From: squid-users <mailto:squid-users-boun...@lists.squid-cache.org> On > Behalf Of robert k Wild > Sent: Monday, June 26, 2023 22:25 > To: Squid Users <mailto:squid-users@lists.squid-cache.org> > Subject: [squid-users] make URL bypass squid proxy > > hi all, > > i have set up squid for url whitelisting and no intercept SSL (see below) > > https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts > > but some websites i want the client to bypass the squid proxy and go > straight to the website as i think this is why a url isnt working even when > i add the url to both files ie urlwhite and no intercept SSL > > > > thanks, > rob > > -- > Regards, > > Robert K Wild. > > > -- > Regards, > > Robert K Wild. > > -- Regards, Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users