Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid ACL Whitelist not working

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 6 Posters 20.5k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lvrfrc87gmail.com
      last edited by

      Hi All,
      I have Squid proxy in transparent mode for HTTP/HTTPS with splice all mode. I want a bunch of URL to skip Squid so I thought to add the DNS record to the whitelist however it seems like the whitelist is ignored by squid
      Below my list

      .tdesktop.com
      .whatsapp.com
      .whatsapp.net
      .facebook.com

      Any suggestion?

      1 Reply Last reply Reply Quote 0
      • A Offline
        alltester
        last edited by

        Hi  lvrfrc87,

        I am unfortunately on the same boat as you.  I've been testing the squid on pfsense 2.3.4 release P1 for a few days now and I've hit the same wall as you.  Here's what I've been trying to do and how I've so far managed to accomplish it:

        I wanted to set up a "no bump sites" list for bank sites that the household accesses, and according to the GUI descriptions, when setting up the MITM (man in the middle) through the GUI there is an option that states that squid will "Splice whitelist/bump rest", meaning that anything that is put in the whitelist section of the ACL should bypass squid MITM and allow the sites native SSL cert to come through and take over.  This has proven to be a headache doing it through the GUI.

        Here's what I had to do to to get that to work:

        1. Under the Squid General Settings (services -> Squid Proxy Server), in the SSL Man In the Middle Filtering section, I changed SSL/MITM Mode to Custom.
        2. I scrolled all the way to the bottom and clicked Show Advanced Options
        3. In the Custom Options section, you can type commands directly to squid to tell it what is an ACL and if it should be spliced or bumped (meaning if it should be bypassed or monitored/scanned). Here's what mine looks like, I followed the example under the details section of the Custom Options:

        some banking sites that should not be MITM-ed

        acl serverIsBank ssl::server_name .paypal.com

        splice bank sites

        ssl_bump splice serverIsBank

        get SNI obtained by parsing TLS Client Hello during step2

        (which is instructed by ssl_bump peek step1)

        ssl_bump peek step1

        bump everything else (all sites not defined above)

        ssl_bump bump all

        I'm still a noob at this but so far this has been working through my testing.  Hope this helps/points you in the right direction as well.

        1 Reply Last reply Reply Quote 1
        • Z Offline
          zacha
          last edited by

          It is broken. I am wondering if noone uses the ssl bumping. Which is the most important firewall feature nowadays in any managed environment for my opinion.

          what "Splice Whitelist, Bump Otherwise" does is

          http_access allow whitelist
          ssl_bump peek step1
          ssl_bump splice whitelist
          ssl_bump bump all

          where

          acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"

          but according to squid wiki:

          'At no point during ssl_bump processing will dstdomain ACL work. That ACL relies on HTTP message details that are not yet decrypted. An ssl::server_name acl type is provided instead that uses CONNECT, SNI, or server certificate Subject name (whichever is available).'

          So 'ssl_bump splice whitelist' directive is just useless.
          What you did is the right way. Hopefully anyone will fix this at some point.

          What you can do to mimic the behaviour which is decribed in the web interface is use 'custom' and custom options like

          acl noBump ssl::server_name -i "/var/squid/acl/whitelist.acl"
          ssl_bump splice noBump
          ssl_bump peek step1
          ssl_bump bump all

          or (if you whish to use regexes)

          acl noBump ssl::server_name_regex -i "/var/squid/acl/whitelist.acl"
          ssl_bump splice noBump
          ssl_bump peek step1
          ssl_bump bump all

          R viktor_gV 2 Replies Last reply Reply Quote 1
          • O Offline
            ortang
            last edited by

            Thank you very much for that information and pointing me to the right direction.
            Added a ticket.

            1 Reply Last reply Reply Quote 0
            • R Offline
              rnmkr @zacha
              last edited by

              @zacha Hi, Thanks for the method. It works like a charm on bank websites. However it's not working for Windows applications i guess. Example: League of Legends game not working. (Launcher says I'm still offline). You may wonder League of Legends game using many IPs. I'm using TcpLogView software to capture all of connecting IPs of League of Legends launcher and wrote them into whitelist.acl file. I'm sure I've captured all IPs and included them in whitelist.
              Note: If I put those IPs in Transparent Proxy Settings -> Bypass Proxy for These Destination IPs using Alias, it works without problem. But it's not working when I put those in whitelist file.

              Since I've got it working at least capturing all IPs, I can live with it. But I wonder Is there any difference using Bypass Proxy for These Destination IPs and whitelist.acl file?
              Thanks.

              1 Reply Last reply Reply Quote 0
              • viktor_gV Offline
                viktor_g Netgate @zacha
                last edited by

                @zacha fixed in squid 0.4.44_15

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.