Hi Alex,
Thank you and Sorry for not including the access log earlier.
1492449506.087 16 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443
- HIER_NONE/- -
1492449521.807 5 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.112:443
- HIER_NONE/- -
1492449528.794 41 172.27.3.236 TCP_MISS/301 280 GET http://github.com/ -
ORIGINAL_DST/192.30.255.113 -
1492449528.799 0 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443
- HIER_NONE/- -
Seems to be the case. Please help me with getting the correct configuration.
Thanks you very much.
-Shan
On Monday, April 17, 2017 10:43 PM, Alex Rousskov
<rouss...@measurement-factory.com> wrote:
On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote:
> The goal is to splice only whitelist (github.com) and terminate all
> other domains.
FYI: I do not know what you mean by "terminate", but if you mean "close
the client-to-Squid connection _without_ serving a Squid-generated error
response to the user", then your ssl_bump configuration does not reflect
your intent. It is easier to terminate non-github connections than to
respond with blocking error messages to non-github requests.
> acl http_whitelist dstdomain .github.com
> acl whitelist ssl::server_name .github.com
> http_access allow http_whitelist localnet
> http_access deny all
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
Your Squid probably denies the fake CONNECT request during step1 (before
looking up SNI during step2). That fake CONNECT does not (and cannot)
have a host name (because you intercept) so it does not match your
"http_whitelist" ACL in the "http_access allow" rule quoted above,
following through to the "deny all" rule that always matches.
An access log may be used to confirm or descard the above theory. This
is why I have asked you about access log records in my previous email.
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
