[squid-users] dynamic ACLs

2020-04-16 Thread Vieri 
Hi,

In sslbump tproxy "mode" one cannot authenticate user to limit/allow their 
access to web content.

I was thinking however of making a web form with auth within a custom Squid 
error page. This way a user would "automatically" whitelist a web site and have 
access to it while the IT dep. would know which user accessed where despite the 
site being blacklisted.

From the error page I can tell which ACL is blocking that site so I could 
create an "exception" ACL for that ACL.
My question is: can this whitelist or graylist ACL be dynamic without needing 
to reload Squid, a bit like ipsets with iptables/nftables without the need to 
reload rules?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up proxy with private to public

2020-04-16 Thread Antony Stone 
Sorry, replying to the list this time - for some reason my previous reply went 
to your private address.


On Wednesday 15 April 2020 at 15:08:36, Chris Bidwell - NOAA Federal wrote:

> So after looking further.  It looks like when I'm trying to wget from my
> squid server, which has the two nics (internal and public), it's trying to
> send it through the internal connection.  It doesn't seem to want to route
> through the external nic.

Okay, so not currently a Squid problem, then.

What does "route -n" tell you, and what do you think your default gateway 
address to the Internet should be (ie: what's the address of the router which 
you think Squid should be using from its external interface to get to the 
Internet)?


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please don't CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Header Detection Post SSL Bump in Squid 4.10

2020-04-16 Thread Amos Jeffries 
On 16/04/20 5:15 pm, shubham jain wrote:
> Hi,
> 
> *Context*:
> I want to use Squid as a forward proxy, where I want to
> 1) send all the Image requests directly, presumably using request header
> 'accept'
> 2) send all other requests through a cache peer Proxy service
> 
> The req_header directive is working fine for HTTP Requests, but not for
> HTTPS.
> 
> I've done the setup for SSL Bump in here and that's giving decrypted
> HTTPS requests in the access.log as well.
> 
> *Issue:*
> The req_header directive is not working on the decrypted HTTPS requests.
> 
> *Squid.conf*
> 
> # SSL Bump Port
> http_port 127.0.0.1:3128  ssl-bump
> cert=/usr/local/etc/cert/example.com.cert
> key=/usr/local/etc/cert/example.com.private
> generate-host-certificates=on version=1 options=SINGLE_DH_USE  
> 
> # SSL Bump Config
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> acl imageIsBlocked req_header accept -i image
> 
> ssl_bump terminate imageIsBlocked    #terminate is just for testing, to
> be replaced by splice
> ssl_bump bump all


Do the CONNECT tunnels Accept headers contain "image" ?

ssl_bump decides what to do during the TLS handshake process. For your
setup that is only the CONNECT requests.

Once decrypted HTTPS is just HTTP with https:// URLs schemes. It is
controlled by http_access and does not pass through ssl_bump rules again.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users