Transparent Proxy with SSL SNI only inspection and whitelist feature

JDA · September 09, 2023, 11:49:51 PM

I'm currently trying to set up my squid as proxy to restrict internet access to certain servers. As I don't want to update all the clients, I'm trying a transparent proxy with "Log SNI information only".
This works fine as long as I have the client in "Unrestricted IP addresses". The access log shows both a CONNECT to the IP and the actual servername. But as soon as I want to use the whitelist feature, it doesn't work -> I assume the ACL is evaluated too early in the bump/peak process (at_step acl option?).

Am I correct or is it just a layer 8 error?
Has anyone a working example on how to allow some https URLs with a transparent proxy without modifying the clients?

JDA · September 10, 2023, 08:48:36 PM

I tried a few variants, but my current solution right now is:

Code Select

http_access allow bump_step1
acl whiteListSSL ssl::server_name login.microsoftonline.com
http_access allow whiteListSSL

Transparent Proxy with SSL SNI only inspection and whitelist feature

JDA

September 09, 2023, 11:49:51 PM

JDA

September 10, 2023, 08:48:36 PM #1