Join Log in
Score:0
mocart avatar Server

squid4 proxy with only whitelist allow policy for all

it flag
mocart

Ubuntu 20.04; Squid 4.10 (build with ssl);common dns-server for clients and server 192.168.15.1

I can't configure squid4 proxy with only whitelist(with SSL) allow policy for all. I build squid by sources with ssl support, and generate cert, all works (when allow all for all), but when i configure squid to allow only whitelist, it not works: all users have permissions for all sites, not only whitelist. I can't solve this problem. My squid.conf

❯ cat squid.conf
debug_options 28,9
dns_nameservers 192.168.15.1
logformat squid-host %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log squid-host


acl localnet src 192.168.15.0/24            # RFC 1918 local private network (LAN)
#========================START STANDART BLOCK======================
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#========================END STANDART BLOCK======================


acl whitelist url_regex -i "/etc/squid/lists/whitelist"
http_access allow whitelist localnet

http_access deny all


http_port 3128

http_port 3129 intercept

https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/ssl/proxyCA.pem tls-key=/etc/squid/ssl/proxyCA.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3 tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

always_direct allow all
sslproxy_cert_error allow all

acl whitelist_ssl ssl::server_name_regex "/etc/squid/lists/whitelist"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
# example pattern for deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .               0       20%     4320%

whitelist

❯ cat lists/whitelist
ya\.ru
^([A-Za-z0-9.-]*\.)?ok\.ru
72
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.