Re: [squid-users] Allow a client to only one https site and path

From: Jannis Kafkoulas <jasecml_at_yahoo.com>
Date: Thu, 21 Mar 2013 15:45:54 +0000 (GMT)

Many thanks! OK, I didn't know that the path is also encrypted. So there's definitely no way to check it and it must be controlled on the server itself, I suppose (now with CONNECT ). But even without checking the path it didn't work like this until I changed it to: http_access deny CONNECT restr_client !restr_dom http_access allow CONNECT restr_client restr_dom http_access deny restr_client all Is then the last line necessary if I want the restr_client to access only this domain with https but nothing else? Jannis --- El Mar 19/3/13, Amos Jeffries <[email protected]> escribi�: > De: Amos Jeffries <[email protected]> > Asunto: Re: [squid-users] Allow a client to only one https site and path > Para: [email protected] > Fecha: Martes 19 de Marzo de 2013 7:30 > On 20/03/2013 12:36 a.m., Jannis > Kafkoulas wrote: > > Hi, > > > > I'm using squid 2.7 on RHEL 5.6 and I have following > issue: > > > > I want to restrict a client to accessing a specific > https site > > and herein only a specific root path (and sub > directories). > > > > So I tried this: > > acl restr_client src 10.1.1.100/32 > > acl restr_dom dstdomain www.example.com > > acl xyz urlpath_regex -i ^/xyz/ > > > > http_access deny restr_client !restr_dom > > http_access deny restr_client !xyz > > . > > . > > . > > > > The problem is that (as I can see in the access.log) > it's > > being allowed to connect directly only if I use http > but > > as soon as I'm using https the request is being > blocked > > and I can't see anything in the access.log. > > > > Even if I use url_regex -i ^https://www.example.com > > instead of dstdomain it doesn't work. > > > > Any hints? > > HTTP passes through Squid in the form of a CONNECT tunnel > setup request, > followed by encrypted bytes. Other than the hostname and > port the client > is contacting nothing is visible to Squid. > > Amos >
Received on Thu Mar 21 2013 - 15:46:02 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 21 2013 - 12:00:04 MDT