On Sat, 2015-05-30 at 16:24 -0600, James Lay wrote: > On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: > > > On 31/05/2015 4:48 a.m., James Lay wrote: > > > Per the docs: > > > > > > # Conditional configuration > > > # > > > # If-statements can be used to make configuration directives > > > # depend on conditions: > > > # > > > # if <CONDITION> > > > # ... regular configuration directives ... > > > # [else > > > # ... regular configuration directives ...] > > > # endif > > > # > > > # The else part is optional. The keywords "if", "else", and > > > "endif" > > > # must be typed on their own lines, as if they were regular > > > # configuration directives. > > > # > > > # NOTE: An else-if condition is not supported. > > > # > > > # These individual conditions types are supported: > > > # > > > # true > > > # Always evaluates to true. > > > # false > > > # Always evaluates to false. > > > # <integer> = <integer> > > > # Equality comparison of two integer numbers. > > > > > > Anyone have any examples, documentation, heck ANYTHING that can show how > > > this works? I can't seem to find a thing besides the above. > > > > Those are for process controls (SMP, named services, etc). > > > > > My goal is > > > something like the below: > > > > > > if port = 80 > > > http_access deny all > > > else > > > http_access allow all > > > endif > > > > > > But nothing I'm trying as the condition expression is working. Thank > > > you. > > > > The default Squid configuration should "just work"... > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_Ports > > ... > > # this one permits the CONNECT *:443 requests to get bumped > > http_access allow localnet > > .. > > http_access deny all > > > > If you are using any other access controls on your client traffic you > > need to keep in mind that Squid is dealing with "CONNECT raw-IP:443 ..." > > requests in http_access / adapted_http_access / url_rewrite_access / > > adaptation_access / ssl_bump prior to bumping them. > > > > Amos > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > Hi again Amos, > > So...my method of access control might be weird. I have a regex list > of sites that work fine via http (say \.acer\.com). So, I allow > access to this list via: > > acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt > http_access allow allowed_http_sites > http_access deny !allowed_http_sites > > This works well for allowing access to the list of sites....the lack > of http_access allow localnet makes this happen. With the above > however, ssl_bumping stops working as I get: > > [16:18:22 jlay@powerbook:~/test$ wget > --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d > https://www.msn.com > DEBUG output created by Wget 1.16 on linux-gnu. > > URI encoding = ‘UTF-8’ > --2015-05-30 16:19:46-- https://www.msn.com/ > Certificates loaded: 173 > Resolving www.msn.com (www.msn.com)... 204.79.197.203 > Caching www.msn.com => 204.79.197.203 > Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... > connected. > Created socket 4. > Releasing 0x10c3ef98 (new refcount 1). > The certificate's owner does not match hostname ‘www.msn.com’ > > May 30 16:19:46 analysis squid: 192.168.1.73 - - [30/May/2015:16:19:46 > -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 > TCP_DENIED:HIER_NONE peek > > Adding http_access alllow localnet makes ssl_bumping work correctly, > but then the http_access deny !allowed_http_sites does not work. I'm > having a hard time getting both http and https filtering to play well > together with one instance of squid. I'd like to try and just go with > one, but if I have to I'll go with two. Anyway thanks again for > looking...I hope I'm explaining this well. > > James > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
Ok I think I got it...added: acl allow_https port 443 ... http_access allow allow_https Now my clients are allowed full port 443 access, which gets a decision of allow or block later on, and this also allows my "usual" http access list....woo hoo! I'll post the full info later. Thanks so much. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
