My Squid proxy has a external_acl_type script: token_auth.py that parses header values and if the header contains X-My-Header: target-value we allow the request through, otherwise, deny it. Akin to a token authorization system.

token_auth.py:

#!/usr/bin/env python3import syswhile True:    line = sys.stdin.readline().strip()    if not line:        break    parts = line.split()    header_value = parts[2]    target_value = "target-value"    # Check if the target header value is present    if header_value == target_value:        sys.stdout.write("OK\n")    else:        sys.stdout.write("ERR\n")    sys.stdout.flush()

We can test that this works fine:

✅ Allowed Through:

curl -x http://localhost:3128 -H "X-My-Header: target-value" http://www.example.com 

❌ Not Allowed Through (this is good):

curl -x http://localhost:3128 -H "X-My-Header: WRONG-target-value" http://www.example.com 

The problem:

However, if we change the example.com url to a HTTPS url:

curl -x http://localhost:3128 -H "X-My-Header: target-value" https://www.example.com 

We get:

curl: (56) Received HTTP code 403 from proxy after CONNECT

What I am almost positive is happening is that my token_auth.py script cannot parse https encrypted headers. I have tried SSL bumping, but no difference. I think I verified this by changing my acl python script to allow all connections through.

I have been stuck here for 3 days now. I am not sure what to do. Can anyone point me in the right direction?

Please, please help.

squid.conf:

sslcrtd_children 32 startup=5 idle=1# Define SSL bumping stepsacl step1 at_step SslBump1acl step2 at_step SslBump2acl step3 at_step SslBump3# Bumping stepsssl_bump peek step1ssl_bump bump step2ssl_bump bump step3# Define SSL portsacl SSL_ports port 443acl CONNECT method CONNECThttp_access deny CONNECT !SSL_ports# SSL bump configurationhttps_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem key=/etc/squid/ssl_cert/myCA.key generate-host-certificates=on dynamic_cert_mem_cache_size=4MB# Define and configure the external ACL helper to check headersexternal_acl_type check_headers_helper %SRC %METHOD %{X-My-Header}>h /etc/squid/COOKIE_AUTH/token_auth.py# Use the external ACL helper in an access control list (ACL)acl check_headers external check_headers_helper# Allow access only if headers contain the specific valuehttp_access allow check_headers# Deny all other accesshttp_access deny all# Handle SSL certificate errorsacl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCHsslproxy_cert_error allow BadSitesslproxy_cert_error deny all# Squid normally listens to port 3128http_port 3128# PID file configurationpid_filename none# Header and logging configurationvia offreply_header_access X-Cache deny allreply_header_access X-Cache-Lookup deny allfollow_x_forwarded_for allow localhostfollow_x_forwarded_for deny allrequest_header_access X-Forwarded-For deny alllogformat custom_log %{%Y-%m-%d %H:%M:%S}tl %>a:%>p %Ss/%03>Hs:%Sh "%rm %ru HTTP/%rv" %mt %>Hs %<st %tr "%{User-Agent}>h" "%{Referer}>h"access_log /var/log/squid/access.log custom_log# Disk cache directorycache_dir ufs /var/spool/squid 100 16 256# Leave coredumps in the first cache dircoredump_dir /var/spool/squid# Add any of your own refresh_pattern entries above theserefresh_pattern ^ftp:      1440    20%  10080refresh_pattern -i (/cgi-bin/|\?) 0   0%  0refresh_pattern .      0   20%  4320