Squid ACL Whitelist not working



  • Hi All,
    I have Squid proxy in transparent mode for HTTP/HTTPS with splice all mode. I want a bunch of URL to skip Squid so I thought to add the DNS record to the whitelist however it seems like the whitelist is ignored by squid
    Below my list

    .tdesktop.com
    .whatsapp.com
    .whatsapp.net
    .facebook.com

    Any suggestion?



  • Hi  lvrfrc87,

    I am unfortunately on the same boat as you.  I've been testing the squid on pfsense 2.3.4 release P1 for a few days now and I've hit the same wall as you.  Here's what I've been trying to do and how I've so far managed to accomplish it:

    I wanted to set up a "no bump sites" list for bank sites that the household accesses, and according to the GUI descriptions, when setting up the MITM (man in the middle) through the GUI there is an option that states that squid will "Splice whitelist/bump rest", meaning that anything that is put in the whitelist section of the ACL should bypass squid MITM and allow the sites native SSL cert to come through and take over.  This has proven to be a headache doing it through the GUI.

    Here's what I had to do to to get that to work:

    1. Under the Squid General Settings (services -> Squid Proxy Server), in the SSL Man In the Middle Filtering section, I changed SSL/MITM Mode to Custom.
    2. I scrolled all the way to the bottom and clicked Show Advanced Options
    3. In the Custom Options section, you can type commands directly to squid to tell it what is an ACL and if it should be spliced or bumped (meaning if it should be bypassed or monitored/scanned). Here's what mine looks like, I followed the example under the details section of the Custom Options:

    some banking sites that should not be MITM-ed

    acl serverIsBank ssl::server_name .paypal.com

    splice bank sites

    ssl_bump splice serverIsBank

    get SNI obtained by parsing TLS Client Hello during step2

    (which is instructed by ssl_bump peek step1)

    ssl_bump peek step1

    bump everything else (all sites not defined above)

    ssl_bump bump all

    I'm still a noob at this but so far this has been working through my testing.  Hope this helps/points you in the right direction as well.



  • It is broken. I am wondering if noone uses the ssl bumping. Which is the most important firewall feature nowadays in any managed environment for my opinion.

    what "Splice Whitelist, Bump Otherwise" does is

    http_access allow whitelist
    ssl_bump peek step1
    ssl_bump splice whitelist
    ssl_bump bump all

    where

    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"

    but according to squid wiki:

    'At no point during ssl_bump processing will dstdomain ACL work. That ACL relies on HTTP message details that are not yet decrypted. An ssl::server_name acl type is provided instead that uses CONNECT, SNI, or server certificate Subject name (whichever is available).'

    So 'ssl_bump splice whitelist' directive is just useless.
    What you did is the right way. Hopefully anyone will fix this at some point.

    What you can do to mimic the behaviour which is decribed in the web interface is use 'custom' and custom options like

    acl noBump ssl::server_name -i "/var/squid/acl/whitelist.acl"
    ssl_bump splice noBump
    ssl_bump peek step1
    ssl_bump bump all

    or (if you whish to use regexes)

    acl noBump ssl::server_name_regex -i "/var/squid/acl/whitelist.acl"
    ssl_bump splice noBump
    ssl_bump peek step1
    ssl_bump bump all



  • Thank you very much for that information and pointing me to the right direction.
    Added a ticket.



  • @zacha Hi, Thanks for the method. It works like a charm on bank websites. However it's not working for Windows applications i guess. Example: League of Legends game not working. (Launcher says I'm still offline). You may wonder League of Legends game using many IPs. I'm using TcpLogView software to capture all of connecting IPs of League of Legends launcher and wrote them into whitelist.acl file. I'm sure I've captured all IPs and included them in whitelist.
    Note: If I put those IPs in Transparent Proxy Settings -> Bypass Proxy for These Destination IPs using Alias, it works without problem. But it's not working when I put those in whitelist file.

    Since I've got it working at least capturing all IPs, I can live with it. But I wonder Is there any difference using Bypass Proxy for These Destination IPs and whitelist.acl file?
    Thanks.