fix: correct URL pattern filtering for SSL Bump mode

Mossaka · claude · Mossaka · commit 6bcee3e833ea · 2026-01-07T23:50:18.000Z
Two issues fixed: 1. URL pattern deny rule was blocking CONNECT requests: - The deny rule `http_access deny allowed_domains` was evaluated for CONNECT requests, blocking SSL bump before the URL check - Added `!CONNECT` to only deny actual HTTP requests after bump - CONNECT requests now pass through for domain-allowed hosts 2. URL pattern regex escaping was corrupting .* wildcards: - Input `https://api.github.com/users/.*` was becoming `^https://api\.github\.com/users/\..*` (incorrect) - Now preserves .* patterns using placeholder before escaping - Output is correctly `^https://api\.github\.com/users/.*` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/squid-config.ts b/src/squid-config.ts
@@ -93,10 +93,24 @@ function generateSslBumpSection(
     urlAclSection = `\n# URL pattern ACLs for HTTPS content inspection\n${urlAcls}\n`;
 
     // Build access rules for URL patterns
+    // When URL patterns are specified, we:
+    // 1. Allow requests matching the URL patterns
+    // 2. Deny all other requests to allowed_domains (they didn't match URL patterns)
     const urlAccessLines = urlPatterns
       .map((_, i) => `http_access allow allowed_url_${i}`)
       .join('\n');
-    urlAccessRules = `\n# Allow HTTPS requests matching URL patterns\n${urlAccessLines}\n`;
+
+    // Deny requests to allowed domains that don't match URL patterns
+    // This ensures URL-level filtering is enforced
+    // IMPORTANT: Use !CONNECT to only deny actual HTTP requests after bump,
+    // not the CONNECT request itself (which must be allowed for SSL bump to work)
+    const denyNonMatching = hasPlainDomains
+      ? 'http_access deny !CONNECT allowed_domains'
+      : hasPatterns
+        ? 'http_access deny !CONNECT allowed_domains_regex'
+        : '';
+
+    urlAccessRules = `\n# Allow HTTPS requests matching URL patterns\n${urlAccessLines}\n\n# Deny requests that don't match URL patterns\n${denyNonMatching}\n`;
   }
 
   return `
diff --git a/src/ssl-bump.ts b/src/ssl-bump.ts
@@ -184,12 +184,19 @@ export function parseUrlPatterns(patterns: string[]): string[] {
     // Remove trailing slash for consistency
     let p = pattern.replace(/\/$/, '');
 
+    // Preserve .* patterns by using a placeholder before escaping
+    const WILDCARD_PLACEHOLDER = '\x00WILDCARD\x00';
+    p = p.replace(/\.\*/g, WILDCARD_PLACEHOLDER);
+
     // Escape regex special characters except *
     p = p.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
 
     // Convert * wildcards to .* regex
     p = p.replace(/\*/g, '.*');
 
+    // Restore .* patterns from placeholder
+    p = p.replace(new RegExp(WILDCARD_PLACEHOLDER, 'g'), '.*');
+
     // Anchor the pattern
     // If pattern ends with .* (from wildcard), don't add end anchor
     if (p.endsWith('.*')) {
