Great thanks Amos as always So shall I leave this ssl bump lines in
ssl_bump splice NoSSLIntercept > ssl_bump peek DiscoverSNIHost > ssl_bump bump all And delete this one acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all As your right there both the same, I didn't spot that My understanding is the "no ssl intercept", squid doesn't even bother to inspect the packets ie man in the middle and just literally passes it straight to the client Is that right? Thanks, Rob On Wed, 11 Aug 2021, 06:48 Amos Jeffries, <squ...@treenet.co.nz> wrote: > On 11/08/21 4:56 am, robert k Wild wrote: > > hi all, > > > > before i continue, so sorry for the stupid question but trying to learn > > > > basically heres my squid.conf > > > > #NO SSL Interception > > acl DiscoverSNIHost at_step SslBump1 > > acl NoSSLIntercept ssl::server_name > > "/usr/local/squid/etc/nointerceptssl.txt" > > ssl_bump splice NoSSLIntercept > > ssl_bump peek DiscoverSNIHost > > ssl_bump bump all > > > > #SSL Bump > > http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s > > /var/lib/ssl_db -M 4MB > > Note: > > You already have ssl_bump rules above which either splice or bump at > step 1. These following ssl_bump rule either never get reached, or are > already known impossible to perform if they do get reached. > > > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump bump all > > # > > #allow special URL paths > > acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt" > > > > #deny MIME types > > acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt" > > > > http_reply_access allow special_url > > http_reply_access deny mimetype > > # > > #HTTP_HTTPS whitelist websites > > acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt" > > > > #HTTP_HTTPS whitelist websites regex > > acl whitelistreg ssl::server_name_regex > > "/usr/local/squid/etc/urlregwhite.txt" > > > > http_access allow activation whitelist > > http_access allow activation whitelistreg > > http_access deny all > > > > in my urlwhitelist is this > > > ... > > in my nointerceptssl is this > > > ... > > > > > i got all the urls etc looking at tail -f access.log and greping the ip > > and tcp denied > > > > but when i try to load the apple app store the whitelist isnt enough, i > > need to add a couple of urls to the nointerceptssl > > > > i got that list by doing the same method ie looking at tail -f > > access.log and greping the ip but as ive already whitelisted the urls > > they all came back as none or ok instead of saying tcp denied > > > > my question is why do i need to add some urls to the nointerceptssl and > > why isnt it enough just to add it to urlwhite list > > > > Because you are using those ACLs exclusively for very different things. > > - "whitelist" is being exclusively used to check URI domains found in > HTTP messages (http_access). Where "server name" is the CONNECT tunnel > authority name or IPs reverse-DNS name, or decrypted https:// URL > domain. It has nothing to do with the TLS handshake activity. > > - "NoSSLIntercept" is being exclusively used for TLS handshake > decisions (ssl_bump). Where "server name" is the CONNECT tunnel > authority name or raw-IP, TLS SNI, or server certificate altSubjectName. > > > You could use whitelist ACL in ssl_bump checks instead of > NoSSLIntercept. At which point the ACL is now being used for both sets > of checks and decisions. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
