On 2025-05-27 08:47, 中山稀斗 wrote:
Dear Squid-Users,
I’m configuring SSL_Bump to decrypt only a specific list of domains and
to splice (pass through encrypted) all others, but I’m seeing
non-whitelisted domains still being decrypted.
### Observed behavior (access log excerpt):
26.56.128.144 - - [27/May/2025:18:35:17 +0900] "CONNECT mariadb.org:443
HTTP/1.1" 200 0 TCP_DENIED:HIER_NONE
26.56.128.144 - - [27/May/2025:18:35:17 +0900] "GET
https://mariadb.org/donate/ <https://mariadb.org/donate/> HTTP/1.1" 403
4076 NONE_NONE:HIER_NONE
lthough CONNECT is supposed to be denied at step1,
When Squid is configured to deny a CONNECT request at step1, it bumps
the client-to-Squid connection after receiving such a banned CONNECT
request, waits for the client GET (or equivalent) request on the bumped
connection, and then responds with an Access Denied error to the client.
This behavior was implemented because most browsers refuse to show
CONNECT errors to users; they only show GET errors.
If you do not like this behavior, you may, for example, configure your
Squid to allow CONNECTs to servers that should be spliced.
HTH,
Alex.
Squid first responds
with “200 OK” (and presents a self-signed certificate), then the client
issues a GET which finally returns 403.
### My ssl_bump configuration:
acl step1 at_step SslBump1
acl bump_domains ssl::server_name "/home/user001/ssl_bump/ssl_bump_domain"
ssl_bump peek step1
ssl_bump splice step2 !bump_domains
ssl_bump bump step2 bump_domains
ssl_bump splice step3 all
Could you please advise why non-whitelisted domains are still being
bumped and how to properly prevent this behavior?
Thank you for your assistance.
Best regards,
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
