S
S
Serg4362016-09-01 10:45:16
Squid
Serg436, 2016-09-01 10:45:16

"Transparent" Squid with HTTPS resource filtering, whitelisting?

Worth squid 3.5.8 works great, but the problem is that I need the user group to work only on the white list.

Squid config:

acl localnet src 192.168.0.0/24
acl users src 192.168.0.200-192.168.0.246
acl trusted src 192.168.0.248 192.168.0.247

acl SSL_ports port 443
acl Safe_ports port 4 # http
2 Safe_ports port
4 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT ! SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

acl blacklist dstdomain "/etc/squid/black_list"
acl whitelist dstdomain "/etc/squid/white_list"

http_access allow trusted
http_access allow whitelist users
http_access deny blacklist users

# And finally deny all other access to this proxy
http_access deny blacklist localnet
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.0.13:1111 options=NO_SSLv3:NO_SSLv2
http_port 192.168.0.13:1112 transparent options=NO_SSLv3:NO_SSLv2
https_port 192.168.0.13 :1113 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl blocked ssl::server_name "/etc/squid/black_list"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked !trusted !whitelist
ssl_bump splice all

sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 64MB

dns_nameservers 8.8.8.8
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru logfile_rotate
4

me domains so the list is quite large), and in white .mail.ru, etc. But if I block in this way, google and some other sites that are listed in the whitelist (and, accordingly, should be opened) for some reason swear at the certificate and do not let me in, I tried to remove .ru from the blacklist (I left the rest of the blocks), Google began to load without problems, well and for the tusted group, of course, everything works fine.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
K
Kawarimi, 2016-11-15
@Kawarimi

Try changing the rules
http_access allow whitelist users
http_access deny blacklist users
on
http_access deny !whitelist users

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question