RE: [squid-users] https interception some whitelisted sites not working properly

Fellows, one more question: with the following setup, do I'm achieving a truly transparent proxy?? http_port 3129 http_port 3128 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=256MB cert=/etc/squid3/certs/ssl/public.pem key=/etc/squid3/certs/ssl/private.pem acl broken_sites_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl" acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" always_direct allow broken_sites ssl_bump none localhost ssl_bump none broken_sites_ip ssl_bump none broken_sites  sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all I also have enabled ip_forward and got these iptables rules: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 iptables -I INPUT -p tcp -m tcp --dport 3129 -j ACCEPT Thanks ---------------------------------------- > From: iknano_at_outlook.com > To: squid-users_at_squid-cache.org > Date: Fri, 2 May 2014 11:47:43 -0400 > Subject: RE: [squid-users] https interception some whitelisted sites not working properly > > Thank you Eliezer for your quick answer. I've been struggling for many days to get this to work... > > Tested your recommendation and it worked like a charm! > > ... > ... > acl broken_sites_ip dst a.b.c.d/xx > acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" > always_direct allow broken_sites > ssl_bump none localhost > ssl_bump none broken_sites_ip > ssl_bump none broken_sites > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > ssl_bump server-first all > ... > ... > > One last question: is it necessary the "always_direct" instruction? > Thanks! > > > >> Date: Fri, 2 May 2014 00:55:03 +0300 >> From: eliezer_at_ngtech.co.il >> To: squid-users_at_squid-cache.org >> Subject: Re: [squid-users] https interception some whitelisted sites not working properly >> >> Hey there, >> >> This was asked in the past month twice if i'm not wrong. >> In the stage when you use ssl_bump.. squid dosn't have any sense of >> dstdomain. >> Means that when squid bumps and knows the site name the connection is >> already bumped and knows about it but when you want to apply a whitelist >> squid only works on the IP level. >> So instead use iptables and\or squid "dst" as a whitelist level. >> >> Eliezer >> >> On 05/02/2014 12:21 AM, Ikna Nou wrote: >>> acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl" >> >> >
Received on Fri May 02 2014 - 18:54:15 MDT