English Forums > Web Proxy Filtering and Caching

ACL > Whitelist not not considered when using Remote ACL

<< < (2/4) > >>

t.mayer:
@Amr: Thanks to your response!

I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.

NAT-Rules:

* Interface: LAN / Proto: TCP / Destination-Port: 80 / NAT-IP: 127.0.0.1 / NAT-Port: 3128
* Interface: LAN / Proto: TCP / Destination-Port:443 / NAT-IP: 127.0.0.1 / NAT-Port: 3129
The problem is that the whitelist (e. g. for instagram.com) is not considered  when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.

The whitelist is only considered when the proxy is used in non-transparent mode.

Greeds
Tom

Amr:

--- Quote ---The whitelist is only considered when the proxy is used in non-transparent mode.
--- End quote ---
Can you reply with the error that squid returns when Instagram gets blocked?

Also, you might want to reset cache under "Support" tab and restart the proxy

t.mayer:
The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID

I have reset the cache and restarted squid lots of times...

Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?

I think its a bug!

Amr:

--- Quote ---The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID
--- End quote ---
weird are you using an internal certificate?

In some rare cases that I have encountered the antivirus was to blame, try disabling it.


--- Quote ---Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?
--- End quote ---
I did test it, works fine, but to be frank I didn't reset the cache.

my current setup is a transparent proxy with an internal certificate and SSL inspection with some sites in SSL no bump sites, but I don't use shallist but rather custom rules (I did use shallalist and it worked fine too)

A word of caution: using Log SNI information only won't block VPN connections made on https port.

t.mayer:
@Amr

Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.

You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.

The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.

Greeds an thanks for you help.

Navigation

[0] Message Index

[#] Next page

[*] Previous page