Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid need help on script to auto add urls to whitelist when there is an ssl error

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 447 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aGeekhere
      last edited by aGeekhere

      Hi all, what I am trying to do it auto add urls/domains which have ssl errors to a whitelist file instead of doing it manually. The goal is to have all sites be bumped by default except whitelist urls and urls which have returned an ssl errors (which cannot be proxied and need to be whitelisted). By doing this you will not need to add exceptions to domains which cannot be proxied.

      I think I am close however I still have issues.
      Here is the setup
      So setting SSL/MITM Mode to custom
      Under Custom Options (SSL/MITM)

      # Define the external ACL
      external_acl_type SSL_CHECKER ttl=60 negative_ttl=5 concurrency=10 %URI /home/check_site_status.sh
      
      # Create an ACL that uses the external ACL
      acl SSL_WHITELIST external SSL_CHECKER
      
      # Allow HTTP CONNECT requests that match the ACL and splice the connection
      http_access allow CONNECT SSL_WHITELIST
      ssl_bump splice SSL_WHITELIST
      ssl_bump bump all
      

      The script checks for an ssl error and adds it to the white list file.
      check_site_status.sh

      #!/bin/sh
      
      # Define the whitelist file
      WHITELIST="/home/whitelist.txt"
      
      # This function checks if a website returns an SSL error
      check_ssl_error() 
      {
      	domain=$1
          # Use openssl to check the SSL certificate of the domain
          echo | openssl s_client -servername "$domain" -connect "$domain":443 2>&1 | grep -q "Verify return code: 0 (ok)" 
          return $?
      }
      
      # This function adds a domain to the Squid's whitelist
      add_to_whitelist() 
      {
          domain=$1
          domain=$(echo "$domain" | sed 's/^[0-9]* //;s/:443 -//;s/^ *//;s/ *$//')
          # Check if the domain is already in the whitelist
          if ! grep -q "^$domain$" $WHITELIST; then
              # If not, add the domain to the whitelist
              echo "$domain" >> $WHITELIST
          fi
      }
      
      # Main loop that reads domains from stdin
      while read domain; do
          # Check if the domain returns an SSL error
          if check_ssl_error "$domain"; then
              echo "No SSL error for $domain"
          else
              echo "SSL error for $domain, adding to whitelist"
              add_to_whitelist "$domain"
          fi
      done
      

      Note the follow file permissions
      -rwxrwxrwx 1 squid proxy check_site_status.sh
      -rwxrwxrwx 1 squid proxy whitelist.txt
      If anyone sees the issue post below

      Never Fear, A Geek is Here!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.