Hello, I have a proxy configured to bump all traffic in order to do traffic filtering to a target server (Artifactory, in my case) from a particular environment. The proxy needs to be able to allow or permit traffic based on the path part of the URL in order to only allow access to a certain set of Artifactory repositories. I have my proxy configured to bump all traffic so that the urlpath_regex ACL can be applied, but it appears to not have any effect post-bump. I have dug through the debug logging and it evaluates the ACL before the bump occurs, but not after. I know it's bumping and decrypting the request properly because the access logs shows the information I need, but it's not actually applying the ACL.
Can anybody provide recommendations as to what I might be doing wrong? My (highly simplified, to remove possible points of failure) squid.conf is provided below, as well as the debug logs from a couple of sample requests. Thanks, -Shane ---- squid.conf ---------------------------- # enable ACL debug logging debug_options 28,3 # Configure a man-in-the-middle sslbumping strategy http_port 3128 ssl-bump \ cert=/etc/squid/ssl_certs/artifactory_mitm_ca.pem \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB ssl_bump bump all # Additional custom ACLs acl artifactory_repo_filter urlpath_regex ^/artifactory http_access allow artifactory_repo_filter # And finally deny all other access to this proxy http_access deny all ---- access.log ----------------------------- 1541104544.428 0 <CLIENT_IP> TCP_DENIED/200 0 CONNECT google.com:443 - HIER_NONE/- - 1541104544.433 0 <CLIENT_IP> TAG_NONE/403 3900 GET https://google.com/ - HIER_NONE/- text/html 1541104555.408 0 <CLIENT_IP> TCP_DENIED/200 0 CONNECT <ARTIFACTORY_SERVER_DOMAIN>:8443 - HIER_NONE/- - 1541104555.411 0 <CLIENT_IP> TAG_NONE/403 3975 GET https://<ARTIFACTORY_SERVER_DOMAIN>:8443/artifactory/path/matching/the_request.jar - HIER_NONE/- text/html ---- cache.log ----------------------------- 2018/11/01 20:35:44.427 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e4918 checking slow rules 2018/11/01 20:35:44.427 kid1| 28,3| Acl.cc(158) matches: checked: artifactory_repo_filter = -1 2018/11/01 20:35:44.427 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0 2018/11/01 20:35:44.427 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41736' found 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e4918 answer DENIED for match 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e4918 answer=DENIED 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e5378 checking slow rules 2018/11/01 20:35:44.428 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41736' found 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e5378 answer ALLOWED for match 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e5378 answer=ALLOWED 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0df0 checking fast ACLs 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0df0 answer ALLOWED for match 2018/11/01 20:35:44.433 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0ec0 checking fast ACLs 2018/11/01 20:35:44.433 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2018/11/01 20:35:44.433 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2018/11/01 20:35:44.433 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0ec0 answer ALLOWED for match 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e4918 checking slow rules 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: artifactory_repo_filter = -1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0 2018/11/01 20:35:55.408 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41738' found 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e4918 answer DENIED for match 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e4918 answer=DENIED 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e5378 checking slow rules 2018/11/01 20:35:55.408 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41738' found 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e5378 answer ALLOWED for match 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e5378 answer=ALLOWED 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0df0 checking fast ACLs 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0df0 answer ALLOWED for match 2018/11/01 20:35:55.411 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0ec0 checking fast ACLs 2018/11/01 20:35:55.411 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2018/11/01 20:35:55.411 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2018/11/01 20:35:55.411 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0ec0 answer ALLOWED for match _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
