Hi, I have a setup with a PF firewall that intercepts HTTP and HTTPS traffic and forwards that to Squid. Squid is setup to log all traffic and it uses a SSL bump for the HTTPS traffic.
In the setup I have a whitelist of domains that doesn't get logged, the rest of the traffic gets logged and redirected to SquidGuard for further blacklisting. All that works great. What I cannot figure out is how to add a couple of local IP addresses that can ONLY access the whitelist (or possibly ANOTHER whitelist) and nothing else on the Internet. The ACL for the "windows_boxes" is the one that is supposed to ONLY access the whitelisted domains. However, when I enter the URL https://www.mojang.com I get a "Access denied". However, if I add a NON-SSL domain to the whitelist, then those works. This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong. <SNIP> acl step1 at_step SslBump1 acl localnet src 192.168.1.0/24 # These boxes may ONLY access the whitelist. acl windows_boxes src 192.168.1.201 192.168.1.202 acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com # We don't want the whitelist to be cached. cache deny whitelist # We want direct access on the whitelist. always_direct allow whitelist # Don't redirect to SquidGuard. redirector_access deny whitelist # We only redirect HTTP and HTTPS. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes. http_access deny windows_boxes !whitelist http_access allow localhost http_access allow localnet http_access deny all # We'll intercept trafic using PF. http_port 127.0.0.1:3129 intercept https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_cafile /usr/local/openssl/cabundle.file # Become a TCP tunnel without decrypting proxied traffic for the whitelist. ssl_bump splice whitelist ssl_bump peek step1 ssl_bump bump all # We want the query strings as well. strip_query_terms off # Leave coredumps in the first cache dir coredump_dir /var/squid/cache redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf </SNIP> Any feedback would be greatly appreciated! Thank you in advance! Kindest regards. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
