Hi, I'm struggling a lot to configure Squid. To improve the security of my app in my AWS private subnet, I would like to build a HTTPS proxy to whitelist *only* some URLs. My wish is to *not* rely on SNI filtering but bump HTTPS traffic in order to filter the URLs (path) of HTTPS requests. I know that means to install a custom CA. The thing is... I have a hard compiling a working configuration file for Squid 3.5, most examples are outdated or incomplete.
My current config is : # --- # General cache_effective_user squid cache_effective_group squid shutdown_lifetime 1 seconds visible_hostname squid # Hide some reavealing or useless headers forwarded_for delete httpd_suppress_version_string off reply_header_access X-Cache deny all reply_header_access X-Cache-Lookup deny all via off # Tuning max_filedesc 10000 # Disable access to manager http_access deny manager # Handling HTTPS requests https_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE intercept sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 acl SSL_port port 443 http_access allow SSL_port # Whitelist acl whitelist-regex url_regex -i thirdparty.com/upload/stuff/ acl whitelist-regex url_regex -i otherthirdparty.com/specific-path/ http_access allow whitelist-regex # SSL bump acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump whitelist-regex ssl_bump terminate step2 !whitelist-regex # Deny the rest http_access deny all # --- What I am missing ? Should I use squid 4 for this ? Thanks a lot in advance ! _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
