Wow that worked! Thanks!
On Fri, May 6, 2016 at 5:00 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 6/05/2016 5:51 p.m., Victor Hugo wrote: > > Here's a strange one for you though, if I change: > > acl whitelist-regex url_regex -i reddit.com/r/news > > > > to: > > acl whitelist-regex url_regex -i reddit\.com\/r\/news > www\.reddit\.com\:443 > > > > it works every 2nd time but the match is too greedy and allows > > www.reddit.com/r/anything every 2nd time. > > > > That first regex pattern requires a path "/r/news" to exist. CONNECT > messages do not have paths. > > That second pattern you are now adding matches (and thus allows) the > CONNECT message authority-URI built from the traffic SNI details. > > They are two different regex patterns so if *either one* matches the ACL > test will be a match. > > > Try adding this line *after* the default "deny CONNECT !SSL_ports" line: > acl reddit dstdomain .reddit.com > http_access allow CONNECT SSL_ports reddit > > That should allow the CONNECT's stuff to happen and your ssl_bump and > http_access rules then handle the HTTPS. > > > Amos > > > > Victor > > > > it > > > > On Thu, Feb 11, 2016 at 10:05 AM, Victor Hugo <fourtri...@gmail.com> > wrote: > > > >> Hi, > >> > >> I was wondering if it is possible to filter HTTPS URLs using squid (for > >> example to blacklist reddit.com but allow > https://www.reddit.com/r/news/)? > >> > >> I thought this may be possible using ssl_bump and url_regex. I have been > >> trying this using squid 3.5.13 but with no success. > >> > >> Here is the squid configuration that I have tried but doesn't seem to > work > >> (it works for http sites though): > >> > >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > >> acl localnet src fc00::/7 # RFC 4193 local private network range > >> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > >> machines > >> > >> acl SSL_ports port 443 > >> acl Safe_ports port 80 # http > >> acl Safe_ports port 21 # ftp > >> acl Safe_ports port 443 # https > >> acl Safe_ports port 70 # gopher > >> acl Safe_ports port 210 # wais > >> acl Safe_ports port 1025-65535 # unregistered ports > >> acl Safe_ports port 280 # http-mgmt > >> acl Safe_ports port 488 # gss-http > >> acl Safe_ports port 591 # filemaker > >> acl Safe_ports port 777 # multiling http > >> acl CONNECT method CONNECT > >> > >> http_access deny !Safe_ports > >> http_access deny CONNECT !SSL_ports > >> http_access allow localhost manager > >> http_access deny manager > >> > >> acl whitelist-regex url_regex -i reddit.com/r/news > >> http_port 3129 ssl-bump > >> cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem > >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > >> acl bump_sites ssl::server_name .reddit.com > >> ssl_bump bump bump_sites > >> ssl_bump splice !bump_sites > >> http_access allow whitelist-regex > >> http_access allow localhost > >> http_access deny all > >> coredump_dir /opt/squid-3.5.13/var/spool/squid3 > >> refresh_pattern ^ftp: 1440 20% 10080 > >> refresh_pattern ^gopher: 1440 0% 1440 > >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > >> refresh_pattern . 0 20% 4320 > >> pinger_enable off > >> Relevant access.log output (IP addresses redacted to x.x.x.x): > >> 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT > www.reddit.com:443 > >> - HIER_NONE/- - > >> 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET > >> https://www.reddit.com/r/news - HIER_NONE/- text/html > >> 1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT > www.reddit.com:443 > >> - HIER_NONE/- - > >> > >> I don't want to whitelist the dstdomain .reddit.com > >> (i.e whitelist-ssldomain dstdomain .reddit.com) as that would allow > >> access to all of the other subreddits. > >> > >> Appreciate any help or suggestions you have. Thanks. > >> > >> Victor > >> > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
