Many thanks!
OK, I didn't know that the path is also encrypted.
So there's definitely no way to check it and it must be controlled on the server itself, I suppose (now with CONNECT ).
But even without checking the path it didn't work like this
until I changed it to:
http_access deny CONNECT restr_client !restr_dom
http_access allow CONNECT restr_client restr_dom
http_access deny restr_client all
Is then the last line necessary if I want the restr_client
to access only this domain with https but nothing else?
Jannis
--- El Mar 19/3/13, Amos Jeffries <[email protected]> escribi�:
> De: Amos Jeffries <[email protected]>
> Asunto: Re: [squid-users] Allow a client to only one https site and path
> Para: [email protected]
> Fecha: Martes 19 de Marzo de 2013 7:30
> On 20/03/2013 12:36 a.m., Jannis
> Kafkoulas wrote:
> > Hi,
> >
> > I'm using squid 2.7 on RHEL 5.6 and I have following
> issue:
> >
> > I want to restrict a client to accessing a specific
> https site
> > and herein only a specific root path (and sub
> directories).
> >
> > So I tried this:
> > acl restr_client src 10.1.1.100/32
> > acl restr_dom dstdomain www.example.com
> > acl xyz urlpath_regex -i ^/xyz/
> >
> > http_access deny restr_client !restr_dom
> > http_access deny restr_client !xyz
> > .
> > .
> > .
> >
> > The problem is that (as I can see in the access.log)
> it's
> > being allowed to connect directly only if I use http
> but
> > as soon as I'm using https the request is being
> blocked
> > and I can't see anything in the access.log.
> >
> > Even if I use url_regex -i ^https://www.example.com
> > instead of dstdomain it doesn't work.
> >
> > Any hints?
>
> HTTP passes through Squid in the form of a CONNECT tunnel
> setup request,
> followed by encrypted bytes. Other than the hostname and
> port the client
> is contacting nothing is visible to Squid.
>
> Amos
>
Received on Thu Mar 21 2013 - 15:46:02 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 21 2013 - 12:00:04 MDT