Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
Cas12042016-10-28 15:50:54
linux
Cas1204, 2016-10-28 15:50:54

How to configure squid.conf to whitelist both http and https at the same time?

Raised a transparent proxy squid 3.5.8 in the organization to restrict access to sites, ideally it should be done so that you can only go to 2 https sites and 2 http. The proxy is transparent, works with http and https, the below config works fine in the blacklist scenario, cuts out all recorded sites. But I can’t imagine how to convert the config so that everything works exactly the opposite, if you change
http_access deny whitelist to http_access deny !whitelist and
ssl_bump terminate blocked to ssl_bump terminate !blocked
, then only http traffic filtering works properly, and if the line
http_access deny !whitelist
put after
http_access allow localnet, and not before it, then only https traffic filtering rules work correctly.
In general, I'm confused in one pine, help someone) Squid config
:
acl localnet src 2.2.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl class_ip src "/etc/squid/onlywhite.ip"
acl whitelist dstdomain "/etc/squid/whitelist2.url"
dns_nameservers 8.8.8.8
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny whitelist
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 3130 options=NO_SSLv3:NO_SSLv2
https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/ squi$
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name "/etc/squid/whitelist.url"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
^ refresh_pattern: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
C
Cas1204, 2016-11-11
@Cas1204

Understood, the issue is closed.

Report
A
as_lan, 2020-08-31
@as_lan

Straight postman Pechkin. I have a solution. But I won't tell you .. Only in the ru segment I meet "understood, the issue is closed." without describing the solution itself. "ssl_bump terminate !whitelist" option doesn't work while "http_access deny !whitelist" is active

Report
D
dmb_1945, 2016-12-01
@dmb_1945

sorry I didn't write like (((

Similar questions
W
wolfak2017-08-25 11:29:18
How to destroy side menu before transition (Swift)? 1Reply
L
lik1732021-01-13 01:48:41
How to make a simple package manager? 2Reply
M
moveOn2019-05-10 11:51:47
Why does npm -v throw a Segmentation fault? 1Reply
M
MSAFT2016-12-12 17:49:03
Yii2 on Nginx. How to configure the server so that the appeal through the contact form gets to the email? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question