Sorry, I haven't seen the reply as it's been attached as an attachment and posted a similar question about 302, but probably I know the answer already as it's not stateful inspection any redirection to a new domain is a new request that has to go over ACL again. I thought about using http_reply_access but again it's creating a whole new ACL that every reply would have to go over not just that one. Is there a way to use http_access & http_reply_access together, like http_access allow whitelist & http_reply allow whitelist? Mirek
> There is a built-in ACL called "all" which does what you defined for the regex "blacklist" to do. > As for sessions. No Squid follows HTTP which is stateless. You can configure it though. setup an ext_session_acl helper for active mode sessions that start when a 302 response comes back. you should have some other ACL to separately whitelist the sites normally blocked, but can open with a session. > Amos On Thu, Apr 15, 2021 at 9:52 PM Miroslaw Malinowski < mr.miroslaw.malinow...@gmail.com> wrote: > I've found a resolution using a bit better regex: > > acl blackList url_regex ^https?:\/\/.*$ > > looking at the debug it doing exactly what I wanted, however, I now have a > different issue how to handle a 302 MOVED when the move is to a different > domain, e.g. packages.gitlab.com are moved to > d20rj4el6vkp4c.cloudfront.net. Is squid stateful in a way that it's able > to remember those packets are coming from the same session? What would be > the best way to resolve the issue other than just keep adding domain if a > thing like this happens. > > > Thanks > > > On Thu, Apr 15, 2021 at 1:03 PM Miroslaw Malinowski < > mr.miroslaw.malinow...@gmail.com> wrote: > >> Hi, >> >> I'm trying to use Opnsense built-in squid config to set up a transparent >> proxy for server updates and block everything else. >> In GUI they use url_regex for whitelist and blacklist, when I simple per >> domain whitelist and blacklist it's working as expected, e.g. >> # ACL - Whitelist - User defined (whiteList) >> acl whiteList url_regex archive\.ubuntu\.com >> # ACL - Blacklist - User defined (blackList) >> acl blackList url_regex packages\.gitlab\.com >> # ACL list (Allow) whitelist >> http_access allow whiteList >> # ACL list (Deny) blacklist >> http_access deny blackList >> >> However, when I do wildcard in blacklist I also get all https domain >> blocked even when I've tried to explicitly allow it with >> https://archive\.ubuntu\.com >> , e.g. >> # ACL - Whitelist - User defined (whiteList) >> acl whiteList url_regex archive\.ubuntu\.com >> # ACL - Blacklist - User defined (blackList) >> acl blackList url_regex .* >> # ACL list (Allow) whitelist >> http_access allow whiteList >> # ACL list (Deny) blacklist >> http_access deny blackList >> >> I get: >> Err:7 https://repos.influxdata.com/ubuntu focal InRelease >> 403 Forbidden [IP: 52.84.95.46 443] >> >> What I'm trying to say is with blacklist as . is blocking all https >> traffic even if whitelisted, is this an expected behaviour or I'm doing >> something wrong or it can't be done with url_regex and I should do it at >> backend manually. >> >> My config: >> # >> # Automatic generated configuration for Squid. >> # Do not edit this file manually. >> # >> >> >> # Setup transparent mode listeners on loopback interfaces >> http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> >> # Setup regular listeners configuration >> http_port 172.16.230.252:3128 ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> http_port 172.16.230.254:3128 ssl-bump cert=/var/squid/ssl/ca.pem >> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on >> >> # setup ssl re-cert >> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s >> /var/squid/ssl_crtd -M 10MB >> sslcrtd_children 5 >> >> tls_outgoing_options options=NO_TLSv1 >> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> >> # setup ssl bump acl's >> acl bump_step1 at_step SslBump1 >> acl bump_step2 at_step SslBump2 >> acl bump_step3 at_step SslBump3 >> acl bump_nobumpsites ssl::server_name >> "/usr/local/etc/squid/nobumpsites.acl" >> >> # configure bump >> ssl_bump peek bump_step1 all >> ssl_bump peek bump_step2 bump_nobumpsites >> ssl_bump splice bump_step3 bump_nobumpsites >> ssl_bump stare bump_step2 >> ssl_bump bump bump_step3 >> >> sslproxy_cert_error deny all >> >> acl ftp proto FTP >> http_access allow ftp >> >> >> # Setup ftp proxy >> >> # Rules allowing access from your local networks. >> # Generated list of (internal) IP networks from where browsing >> # should be allowed. (Allow interface subnets). >> acl localnet src <net>/24 # Possible internal network (interfaces v4) >> # Default allow for local-link and private networks >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) >> machines >> >> # ACL - Allow localhost for PURGE cache if enabled >> acl PURGE method PURGE >> http_access allow localhost PURGE >> http_access deny PURGE >> >> # ACL lists >> # ACL - Whitelist - User defined (whiteList) >> acl whiteList url_regex packages\.wazuh\.com >> acl whiteList url_regex archive\.ubuntu\.com >> acl whiteList url_regex security\.ubuntu\.com >> acl whiteList url_regex repos\.influxdata\.com >> >> # ACL - Blacklist - User defined (blackList) >> acl blackList url_regex .* >> >> # ACL - Remote fetched Blacklist (remoteblacklist) >> >> # ACL - Block browser/user-agent - User defined (browser) >> >> # ACL - SSL ports, default are configured in config.xml >> # Configured SSL ports (if defaults are not listed, then they have been >> removed from the configuration!): >> acl SSL_ports port 443 # https >> >> # Default Safe ports are now defined in config.xml >> # Configured Safe ports (if defaults are not listed, then they have been >> removed from the configuration!): >> # ACL - Safe_ports >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> # ICAP SETTINGS >> # disable icap >> icap_enable off >> >> # Pre-auth plugins >> include /usr/local/etc/squid/pre-auth/*.conf >> >> # Authentication Settings >> >> # ACL list (Allow) whitelist >> http_access allow whiteList >> >> # >> # ACL list (Deny) blacklist >> http_access deny blackList >> >> # Google Suite Filter >> >> # YouTube Filter >> >> # Deny requests to certain unsafe ports >> >> http_access deny !Safe_ports >> # Deny CONNECT to other than secure SSL ports >> >> http_access deny CONNECT !SSL_ports >> >> # Only allow cachemgr access from localhost >> http_access allow localhost manager >> http_access deny manager >> >> # We strongly recommend the following be uncommented to protect innocent >> # web applications running on the proxy server who think the only >> # one who can access services on "localhost" is a local user >> http_access deny to_localhost >> >> # Auth plugins >> include /usr/local/etc/squid/auth/*.conf >> >> # >> # Access Permission configuration: >> # >> # Deny request from unauthorized clients >> >> # >> # ACL - localnet - default these include ranges from selected interfaces >> (Allow local subnets) >> http_access allow localnet >> >> # ACL - localhost >> http_access allow localhost >> >> # Deny all other access to this proxy >> http_access deny all >> # Post-auth plugins >> include /usr/local/etc/squid/post-auth/*.conf >> >> # Caching settings >> cache_mem 1000 MB >> maximum_object_size 200 MB >> cache_replacement_policy heap LFUDA >> cache_dir ufs /var/squid/cache 100000 16 256 >> >> # Leave coredumps in the first cache dir >> coredump_dir /var/squid/cache >> >> # >> # Add any of your own refresh_pattern entries above these. >> # >> >> # Linux package cache: >> refresh_pattern pkg\.tar\.xz$ 0 20% 4320 refresh-ims >> refresh_pattern d?rpm$ 0 20% 4320 refresh-ims >> refresh_pattern deb$ 0 20% 4320 refresh-ims >> refresh_pattern udeb$ 0 20% 4320 refresh-ims >> refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims >> refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims >> refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims >> refresh_pattern Release$ 0 20% 4320 refresh-ims >> # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate >> refresh_pattern -i >> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) >> <http://microsoft.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)> >> 4320 80% 129600 reload-into-ims >> refresh_pattern -i >> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) >> <http://windowsupdate.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)> >> 4320 80% 129600 reload-into-ims >> refresh_pattern -i >> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) >> <http://windows.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)> >> 4320 80% 129600 reload-into-ims >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> # Squid Options >> # dns_v4_first reverses the order of preference to make Squid contact >> dual-stack websites over IPv4 first >> dns_v4_first on >> pinger_enable off >> access_log stdio:/var/log/squid/access.log squid >> cache_store_log stdio:/var/log/squid/store.log >> # URI hanlding with Whitespaces (default=strip) >> uri_whitespace strip >> # X-Forwarded header handling (default=on) >> forwarded_for on >> # Disable squid logfile rotate to use system defaults >> logfile_rotate 0 >> # Define visible email >> cache_mgr admin@localhost.local >> error_directory /usr/local/etc/squid/errors/local >> >> Thanks >> >>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
