Hi Amos. Thanks for pointing it out - but this has never been an acl-related issue, more like a https_port / ssl-bump configuration question when the upstream ssl request was not sending a "CONNECT www.example.org:443" but a "GET htttps://www.example.org".
For the sake of testing one can simply get rid of the acls and set "allow all", it wouldn't matter - this line "ssl_bump splice all" is the answer most people were looking for I supposed. Best regards. On Sun, Aug 20, 2017 at 10:31 AM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 20/08/17 14:38, Diogenes S. Jesus wrote:> > >> * squid.conf: >> ----------------------- >> acl localhost src 127.0.0.0/8 <http://127.0.0.0/8> >> acl localnet src 192.168.100.0/24 <http://192.168.100.0/24> >> 192.168.101.0/24 <http://192.168.101.0/24> 172.16.0.0/12 < >> http://172.16.0.0/12> >> acl SSL_ports port 443 >> acl Safe_ports port 80# http >> acl Safe_ports port 443# https >> acl CONNECT method CONNECT >> >> http_access allow localhost localnet >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access deny all >> >> > Those http_access rules contain an impossible condition. > > The src-IP cannot simultaneously be having a value in the 127/8 network > range *and* in one of the RFC1918 ranges. So there is no way anything is > ever allowed to use this proxy. > > I suspect it was working due to a recently fixed bug where the CONNECT > message was not consistently passed through http_access controls sometimes > in the first SSL-Bump step. Do not expect that to work much longer. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- -------- Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
