On Sun, 2015-05-31 at 08:45 +1200, Amos Jeffries wrote: > On 31/05/2015 4:48 a.m., James Lay wrote: > > Per the docs: > > > > # Conditional configuration > > # > > # If-statements can be used to make configuration directives > > # depend on conditions: > > # > > # if <CONDITION> > > # ... regular configuration directives ... > > # [else > > # ... regular configuration directives ...] > > # endif > > # > > # The else part is optional. The keywords "if", "else", and > > "endif" > > # must be typed on their own lines, as if they were regular > > # configuration directives. > > # > > # NOTE: An else-if condition is not supported. > > # > > # These individual conditions types are supported: > > # > > # true > > # Always evaluates to true. > > # false > > # Always evaluates to false. > > # <integer> = <integer> > > # Equality comparison of two integer numbers. > > > > Anyone have any examples, documentation, heck ANYTHING that can show how > > this works? I can't seem to find a thing besides the above. > > Those are for process controls (SMP, named services, etc). > > > My goal is > > something like the below: > > > > if port = 80 > > http_access deny all > > else > > http_access allow all > > endif > > > > But nothing I'm trying as the condition expression is working. Thank > > you. > > The default Squid configuration should "just work"... > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_Ports > ... > # this one permits the CONNECT *:443 requests to get bumped > http_access allow localnet > .. > http_access deny all > > If you are using any other access controls on your client traffic you > need to keep in mind that Squid is dealing with "CONNECT raw-IP:443 ..." > requests in http_access / adapted_http_access / url_rewrite_access / > adaptation_access / ssl_bump prior to bumping them. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
Hi again Amos, So...my method of access control might be weird. I have a regex list of sites that work fine via http (say \.acer\.com). So, I allow access to this list via: acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt http_access allow allowed_http_sites http_access deny !allowed_http_sites This works well for allowing access to the list of sites....the lack of http_access allow localnet makes this happen. With the above however, ssl_bumping stops working as I get: [16:18:22 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com DEBUG output created by Wget 1.16 on linux-gnu. URI encoding = ‘UTF-8’ --2015-05-30 16:19:46-- https://www.msn.com/ Certificates loaded: 173 Resolving www.msn.com (www.msn.com)... 204.79.197.203 Caching www.msn.com => 204.79.197.203 Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected. Created socket 4. Releasing 0x10c3ef98 (new refcount 1). The certificate's owner does not match hostname ‘www.msn.com’ May 30 16:19:46 analysis squid: 192.168.1.73 - - [30/May/2015:16:19:46 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 TCP_DENIED:HIER_NONE peek Adding http_access alllow localnet makes ssl_bumping work correctly, but then the http_access deny !allowed_http_sites does not work. I'm having a hard time getting both http and https filtering to play well together with one instance of squid. I'd like to try and just go with one, but if I have to I'll go with two. Anyway thanks again for looking...I hope I'm explaining this well. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users