[squid-users] Squid, Gmail.com and HSTS.
Michael Monette
mmonette at 2keys.ca
Wed Jun 10 14:25:21 UTC 2015
Hi again,
I finally had some time to get back into this, been a busy couple weeks. I compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and now things seem to be working better with ssl::servername. But for some reason I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is getting their certificate from the real sites and I don't really know why because it's the same config as before.
Here's a small capture of the logs:
1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html
1433945978.918 306 10.117.67.157 TCP_MISS/302 658 GET http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 -
1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945979.972 1068 10.117.67.157 TCP_MISS/204 719 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945982.006 100 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html
1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html
All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem when I had been working on this a couple weeks and I was able to get myself out of it by messing with the bump steps, but I can't seem to figure it out this time(or I just can't remember). Hoping for some guidance or hints.
Here's my log again:
# cat /etc/squid/squid.conf
~
debug_options ALL,9
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump step2 all
ssl_bump bump step3 all
acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com
#acl bl1 url_regex -i ^http(s)?://gmail.com
#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.*
#acl bl3 url_regex -i ^http(s)?://moz.com.*
#acl bl4 url_regex -i moz.com
deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless.
http_reply_access deny bl1 # useless
#http_access deny bl1
#http_access deny bl1 CONNECT
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 accel vhost allow-direct
#https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options NO_SSLv2
sslproxy_options NO_SSLv3
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
#cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
----- Original Message -----
From: "Amos Jeffries" <squid3 at treenet.co.nz>
To: "Michael Monette" <mmonette at 2keys.ca>
Cc: "squid-users" <squid-users at lists.squid-cache.org>
Sent: Wednesday, May 27, 2015 7:14:57 PM
Subject: Re: [squid-users] Squid, Gmail.com and HSTS.
On 28/05/2015 6:33 a.m., Michael Monette wrote:
> Yeah I don't know what I am doing wrong but I don't have these ACL types..Or I am somehow not copy & pasting properly:
>
> FATAL: Invalid ACL type 'ssl::server_name'
> FATAL: Bungled /etc/squid/squid.conf line 54: acl nobumpsites ssl::server_name .google.com
> Squid Cache (Version 3.5.4): Terminated abnormally.
> CPU Usage: 0.005 seconds = 0.003 user + 0.002 sys
> Maximum Resident Size: 24096 KB
> Page faults with physical i/o: 0
> Squid restarted
> [root at ottt-corp-paz-squid-1 squid-3.5.4]# squid -v
> Squid Cache: Version 3.5.4
> Service Name: squid
> configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-included-ltdl' --enable-ltdl-convenience
>
You are missing the --with-openssl --enable-ssl-crtd options on this build.
Amos
More information about the squid-users
mailing list