Re: [squid-users] ssl-bump with url_regex [SOLVED]

Mon, 24 Feb 2025 09:22:53 -0800 

Solution:


It is the error message 'TCP_DENIED/200 0 CONNECT' wich showed me the way.


Directive is too restrictive:

http_access deny CONNECT !SSL_ports

It works now with:
http_access allow CONNECT safe_ports

where safe ports are:
80, 443, 1025-65535 (maybe too large)

________________________________
De : squid-users <squid-users-boun...@lists.squid-cache.org> de la part de 
BOISIAUD Jean-Yves <jyboisiaud-...@ecritel.net>
Envoyé : lundi 24 février 2025 16:38
À : squid-users@lists.squid-cache.org
Objet : [squid-users] ssl-bump with url_regex


Hello,


I am using Squid 5.7 on a Debian 12 system.


I would like to grant only some given URL path for a site using HTTPS.


For example, in the following configuration:

...

http_port 3128 ssl-bump tcpkeepalive=60,30,3 \
    cert=/etc/squid/certs/signingCA.crt \
    key=/etc/squid/certs/signingCA.key \
    tls-cafile=/etc/squid/certs/chain.pem \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=20MB \
    cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
    options=NO_TLSv1,NO_SSLv3 \
    tls-dh=prime256v1:/etc/squid/certs/dhparam.pem


acl intermediate_fetching transaction_initiator certificate-fetching

acl SSLBumpSites ssl::server_name www.example.com<http://www.example.com>

acl server src 192.168.1.1

acl path urlpath_regex ^/valid_path/$

...

http_access allow  src path

...

ssl_bump peek all
ssl_bump bump SSLBumpSites
ssl_bump slice all

http_access deny all

cache deny all

Works with http (curl http://www.example.com/valid_path/):
- TCP_MISS/200 467686 GET http://www.example.com/valid_path/ - 
HIER_DIRECT/151.101.122.132

Does not work with HTTPS (curl https://www.example.com/valid_path/):
- TCP_DENIED/200 0 CONNECT www.example.com:443 - HIER_NONE/- - bump
- NONE_NONE/403 3894 GET https://www.example.com/valid_path/ - HIER_NONE/- 
text/html -

Other https requests work fine:

- TCP_TUNNEL/200 - splice


What is wrong in my configuration ?


Thank you for your help.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to