Why squid deny the https request but allow the same site with http request?

0 votes

1 answer

753 views

I want to allow dev just use github copilot and deny other request. According to github info: https://docs.github.com/en/copilot/troubleshooting-github-copilot/troubleshooting-firewall-settings-for-github-copilot I added the urls to a whitelist,here are the whitelist info:

[root@web-ide-squid-cache squid]# cat whitelist.txt
.baidu.com
.github.com/login/*
.api.github.com/user
.api.github.com/copilot_internal/*
.copilot-telemetry.githubusercontent.com/telemetry
.default.exp-tas.com/
.copilot-proxy.githubusercontent.com/
.origin-tracker.githubusercontent.com
*.githubcopilot.com

Here are the conf file:

[root@web-ide-squid-cache squid]# cat squid.conf
#
# Recommended minimum configuration:
#
debug_options ALL,1 33,2 28,9
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist
http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080
http_port 3128 transparent
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myCA.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
sslproxy_cert_error allow  all
tls_outgoing_options cipher=ALL

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

curl without https success:

coder@cloudide:~$ curl  -v www.baidu.com
*   Trying 182.61.200.7:80...
* Connected to www.baidu.com (182.61.200.7) port 80 (#0)
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse

 百度一下，你就知道         
         
 
  新闻 hao123 地图 视频 贴吧  登录  document.write('登录'); 更多产品 
 
 
    关于百度 About Baidu 
 ©2017 Baidu 使用百度前必读  意见反馈 京ICP证030173号   
 
 
   
* Connection #0 to host www.baidu.com left intact

curl same site with https failed:

curl  -v https://www.baidu.com 
*   Trying 182.61.200.6:443...
* Connected to www.baidu.com (182.61.200.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.baidu.com
*  start date: Jan 11 12:21:14 2024 GMT
*  expire date: Jan  9 12:21:14 2029 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "www.baidu.com"
*  issuer: C=CN; ST=Beijing; L=Beijing; O=ES; OU=IT Department; CN=easystack.cn; emailAddress=jesse@easystack.cn
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse




ERROR: The requested URL could not be retrieved



ERROR
The requested URL could not be retrieved




The following error was encountered while trying to retrieve the URL: https://182.61.200.6/* 


Access Denied.


Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.






Generated Thu, 25 Jan 2024 01:56:08 GMT by web-ide-squid-cache.novalocal (squid/4.9)



* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

here are the failed cache log：

2024/01/24 19:52:38.494 kid1| 28,4| Eui48.cc(179) lookup: id=0x31f5fe4 query ARP table
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(224) lookup: id=0x31f5fe4 query ARP on each interface (120 found)
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface lo
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(230) lookup: id=0x31f5fe4 found interface eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(239) lookup: id=0x31f5fe4 looking up ARP address for 10.0.3.223 on eth0
2024/01/24 19:52:38.495 kid1| 28,4| Eui48.cc(275) lookup: id=0x31f5fe4 got address fa:16:3e:09:f3:23 on eth0
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(70) preCheck: 0x3189708 checking slow rules
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rules)
2024/01/24 19:52:38.495 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/3' is not banned
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking (ssl_bump rule)
2024/01/24 19:52:38.495 kid1| 28,5| Acl.cc(124) matches: checking step1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: step1 = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rule) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Acl.cc(151) matches: checked: (ssl_bump rules) = 1
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(63) markFinished: 0x3189708 answer ALLOWED for match
2024/01/24 19:52:38.495 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x3189708 answer=ALLOWED
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(2748) httpsSslBumpAccessCheckDone: sslBump action peekneeded for local=182.61.200.6:443 remote=10.0.3.223:4002 FD 12 flags=33
2024/01/24 19:52:38.495 kid1| 33,2| client_side.cc(3424) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump
2024/01/24 19:52:38.496 kid1| 28,3| Checklist.cc(70) preCheck: 0x31a4428 checking slow rules
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !Safe_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking Safe_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: Safe_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !Safe_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#2
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking CONNECT
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: CONNECT = 1
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking !SSL_ports
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking SSL_ports
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: SSL_ports = 1
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: !SSL_ports = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#2 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#3
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking localhost
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs [::1]-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.3.223:4002)  vs 127.0.0.1-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
2024/01/24 19:52:38.496 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: localhost = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#3 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#4
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking manager
2024/01/24 19:52:38.496 kid1| 28,3| RegexData.cc(43) match: checking '182.61.200.6:443'
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: manager = 0
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#4 = 0
2024/01/24 19:52:38.496 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking http_access#5
2024/01/24 19:52:38.496 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.496 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.496 kid1| 28,3| DestinationDomain.cc(96) match: Can't yet compare 'whitelist' ACL for 182.61.200.6
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access#5 = -1 async
2024/01/24 19:52:38.496 kid1| 28,3| Acl.cc(151) matches: checked: http_access = -1 async
2024/01/24 19:52:38.496 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x3189708
2024/01/24 19:52:38.496 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x3189708
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access at 4
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'ALLOWED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| InnerNode.cc(94) resumeMatchingAt: checking http_access#5 at 0
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking whitelist
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '182.61.200.6'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '182.61.200.6' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'none'
2024/01/24 19:52:38.500 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'none' NOT found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: whitelist = 0
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access#5 = 0
2024/01/24 19:52:38.500 kid1| 28,5| Checklist.cc(397) bannedAction: Action 'DENIED/0' is not banned
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking http_access#6
2024/01/24 19:52:38.500 kid1| 28,5| Acl.cc(124) matches: checking all
2024/01/24 19:52:38.500 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 10.0.3.223:4002/[::] ([::]:4002)  vs [::]-[::]/[::]
2024/01/24 19:52:38.500 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '10.0.3.223:4002' found
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: all = 1
2024/01/24 19:52:38.500 kid1| 28,3| Acl.cc(151) matches: checked: http_access#6 = 1
2024/01/24 19:52:38.500 kid1| 28,3| InnerNode.cc(97) resumeMatchingAt: checked: http_access = 1
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(63) markFinished: 0x31a4428 answer DENIED for match
2024/01/24 19:52:38.500 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x31a4428 answer=DENIED
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(81) aclIsProxyAuth: aclIsProxyAuth: called for all
2024/01/24 19:52:38.500 kid1| 28,9| Acl.cc(96) FindByName: ACL::FindByName 'all'
2024/01/24 19:52:38.500 kid1| 28,5| Gadgets.cc(86) aclIsProxyAuth: aclIsProxyAuth: returning 0
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(49) aclGetDenyInfoPage: got called for all
2024/01/24 19:52:38.500 kid1| 28,8| Gadgets.cc(68) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431e20
2024/01/24 19:52:38.500 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x31a4428
2024/01/24 19:52:38.500 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x31a4428
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431ba0 checking fast ACLs
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.504 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.504 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.504 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431ba0 answer ALLOWED for match
2024/01/24 19:52:38.504 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.504 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431ba0
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(891) kick: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33 Connection was closed
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffe2f431f10 checking fast ACLs
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking access_log daemon:/var/log/squid/access.log
2024/01/24 19:52:38.508 kid1| 28,5| Acl.cc(124) matches: checking (access_log daemon:/var/log/squid/access.log line)
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2024/01/24 19:52:38.508 kid1| 28,3| Acl.cc(151) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2024/01/24 19:52:38.508 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffe2f431f10 answer ALLOWED for match
2024/01/24 19:52:38.508 kid1| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffe2f431f10
2024/01/24 19:52:38.508 kid1| 33,2| client_side.cc(582) swanSong: local=182.61.200.6:443 remote=10.0.3.223:4002 flags=33

squid version:

[root@web-ide-squid-cache squid]# squid -v
Squid Cache: Version 4.9

Asked by 张龙飞 (1 rep)

Jan 24, 2024, 12:06 PM
Last activity: Jan 25, 2024, 07:02 AM

Why squid deny the https request but allow the same site with http request?

ERROR

The requested URL could not be retrieved

Related Questions