[squid-users] ssl/acl problem with cache_peers from Hubeli Daniel on 2013-07-12 (squid-users)

From: Hubeli Daniel <Daniel.Hubeli_at_corner.ch>
Date: Fri, 12 Jul 2013 07:52:31 +0000

Hi all, I'm posting for an ssl/acl problem.

In my configuration I have 2 proxies, 1 Internal proxy (used by internal users) that serves internal websites and that escalate (cache_peer) to another proxy (external) when needs to go outside.

My problem is that an internal server now needs to reach an external website (via SSL/HTTPS) but I need to filter the access on just some paths (the internal server will contact the internal squid that should user the cache_peer to reach the "external" site).

From what I've learnt about squid the way to filter paths with HTTPS protocol is to use ssl_bump directive. Actually I've already configured the internal squid with ssl_bump (I've just upgraded to 3.3.7):

http_port host11.domain.com:9999 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/path..../squid-CA.pem

    .
    .
    .
    # SSL Bump Start
    ###################
    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER
    sslcrtd_program =/path..../ssl_crtd -s =/path..../ssl_db -M 8MB
    sslcrtd_children 5

    acl src_test src 222.222.222.222
    acl to_test_domain dstdomain server1.test.com
    acl to_test_regex url_regex ^https://server1.test.com/path1/
    http_access allow to_test_domain CONNECT
    http_access allow src_test to_test_regex
    # Routing with Bump
    cache_peer_access host21.domain.com allow to_test_domain
    cache_peer_access host22.domain.com allow to_test_domain
    ssl_bump server-first to_test_bump

    # SSL Bump Finish
    ###################
    ssl_bump none all
    .
    .
    .

After some tests I realized that ssl_bump works only when squid does direct connect to websites but doesn't work when used with cache_peers, is it right ?

What would be to best way to achieve my scope ? Should I configure ssl_bump on the external squid (I would prefer do it on the internal one to keep the outside squid config the simplier possible) ? Actually to use the "url_regex" acl to filter the path of an HTTPS site I have opened to also the CONNECT method to the whole site ... Is this the right method to filter paths on an https website?

Kind regards,
Daniel Hubeli
Received on Fri Jul 12 2013 - 07:52:42 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 12 2013 - 12:00:12 MDT