English Forums > Web Proxy Filtering and Caching
ACL > Whitelist not not considered when using Remote ACL
t.mayer:
@Amr: Thanks to your response!
I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.
NAT-Rules:
* Interface: LAN / Proto: TCP / Destination-Port: 80 / NAT-IP: 127.0.0.1 / NAT-Port: 3128
* Interface: LAN / Proto: TCP / Destination-Port:443 / NAT-IP: 127.0.0.1 / NAT-Port: 3129
The problem is that the whitelist (e. g. for instagram.com) is not considered when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.
The whitelist is only considered when the proxy is used in non-transparent mode.
Greeds
Tom
Amr:
--- Quote ---The whitelist is only considered when the proxy is used in non-transparent mode.
--- End quote ---
Can you reply with the error that squid returns when Instagram gets blocked?
Also, you might want to reset cache under "Support" tab and restart the proxy
t.mayer:
The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID
I have reset the cache and restarted squid lots of times...
Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?
I think its a bug!
Amr:
--- Quote ---The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID
--- End quote ---
weird are you using an internal certificate?
In some rare cases that I have encountered the antivirus was to blame, try disabling it.
--- Quote ---Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?
--- End quote ---
I did test it, works fine, but to be frank I didn't reset the cache.
my current setup is a transparent proxy with an internal certificate and SSL inspection with some sites in SSL no bump sites, but I don't use shallist but rather custom rules (I did use shallalist and it worked fine too)
A word of caution: using Log SNI information only won't block VPN connections made on https port.
t.mayer:
@Amr
Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.
You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.
The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.
Greeds an thanks for you help.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version