[squid-users] Squid 3.4.8 with ssl-bump config.

Tony Peña emperor.cu at gmail.com
Thu May 21 09:50:28 UTC 2015


Hi again..

now work ok the compilation.. but have issues with the https sites.

squid start ok... but can't see the sites with https on the browser... i
make the certificate ... and put myCA.der on windows client

i test it with:
1- ssl-bump server-first all
2- ssl-bump client-first all

testing acl with and without...
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow TrustedName
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all

and nothing  can't see https sites like mail.yahoo.com or facebook.com

the browser continue put out
ERROR SSL CONNECTION
ERR_SSL_PROTOCOL

i rebuild again many times /var/spool/squid_ssldb

and the logs continue saying...

 1432201755.569      0 172.16.1.20 TAG_NONE/400 3640
 Z%19%98%A50%D7%AD%19%AB%1E - HIER_NONE/- text/html
1432201756.077      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.078      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.085      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.090      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.094      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.381      1 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.383      1 172.16.1.20 TAG_NONE/400 3616
 v%C9%F0O%C9%E6%BB%A1%D2 - HIER_NONE/- text/html
1432201756.391      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.395      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.399      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.662      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.663      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.670      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.675      0 172.16.1.20 TAG_NONE/400 3672
%05%D5%846S/%60%E5&e@%60%D5=%CA%27%E5%E7
- HIER_NONE/- text/html
1432201756.680      0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html

here is my config
----------------------------------
 # squid3 -k parse
2015/05/21 05:42:10| Startup: Initializing Authentication Schemes ...
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'basic'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'digest'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'negotiate'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'ntlm'
2015/05/21 05:42:10| Startup: Initialized Authentication.
2015/05/21 05:42:10| Processing Configuration File: /etc/squid3/squid.conf
(depth 0)
2015/05/21 05:42:10| Processing: http_port 172.16.1.10:3128 intercept
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/myCA.pem
2015/05/21 05:42:10| Starting Authentication on port 172.16.1.10:3128
2015/05/21 05:42:10| Disabling Authentication on port 172.16.1.10:3128
(interception enabled)
2015/05/21 05:42:10| Processing: hostname_aliases
debian-template.ctimegroup.local
2015/05/21 05:42:10| Processing: visible_hostname debian-template
2015/05/21 05:42:10| Processing: hierarchy_stoplist cgi-bin ?
2015/05/21 05:42:10| Processing: acl QUERY urlpath_regex cgi-bin \?
2015/05/21 05:42:10| Processing: no_cache deny QUERY
2015/05/21 05:42:10| Processing: cache_mem 1024 MB
2015/05/21 05:42:10| Processing: cache_replacement_policy heap LFUDA
2015/05/21 05:42:10| Processing: cache_dir aufs /var/spool/squid3 4096 16
256
2015/05/21 05:42:10| Processing: cache_log /var/log/squid3/cache.log
2015/05/21 05:42:10| Processing: cache_store_log none
2015/05/21 05:42:10| Processing: cache_effective_user proxy
2015/05/21 05:42:10| Processing: cache_effective_group proxy
2015/05/21 05:42:10| Processing: maximum_object_size 1024 KB
2015/05/21 05:42:10| Processing: prefer_direct on
2015/05/21 05:42:10| Processing: ftp_user anonymous at proxy.sld.cu
2015/05/21 05:42:10| Processing: negative_ttl 5 minutes
2015/05/21 05:42:10| Processing: positive_dns_ttl 6 hours
2015/05/21 05:42:10| Processing: negative_dns_ttl 5 minutes
2015/05/21 05:42:10| Processing: coredump_dir /var/spool/squid3
2015/05/21 05:42:10| Processing: shutdown_lifetime 3 seconds
2015/05/21 05:42:10| Processing: logfile_rotate 10
2015/05/21 05:42:10| Processing: access_log /var/log/squid3/access.log
squid
2015/05/21 05:42:10| Processing: half_closed_clients off
2015/05/21 05:42:10| Processing: strip_query_terms on
2015/05/21 05:42:10| Processing: refresh_pattern ^ftp:       1440    20%
10080
2015/05/21 05:42:10| Processing: refresh_pattern ^gopher:    1440    0%
 1440
2015/05/21 05:42:10| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
2015/05/21 05:42:10| Processing: refresh_pattern .       0   20% 4320
2015/05/21 05:42:10| Processing: refresh_pattern -i
\.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
2015/05/21 05:42:10| Processing: acl SSL_ports port 443 8443 12048 2083
2015/05/21 05:42:10| Processing: acl Safe_ports port 440-442     # http
2015/05/21 05:42:10| Processing: acl Safe_ports port 443
2015/05/21 05:42:10| Processing: acl Safe_ports port 80          # http
2015/05/21 05:42:10| Processing: acl Safe_ports port 21          # ftp
2015/05/21 05:42:10| Processing: acl Safe_ports port 443         # https,
snews
2015/05/21 05:42:10| Processing: acl Safe_ports port 1025-8081   #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 8082-9999   #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 10001-65535 #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 280         #
http-mgmt
2015/05/21 05:42:10| Processing: acl CONNECT method CONNECT
2015/05/21 05:42:10| Processing: acl localhost src 192.168.207.51
172.16.1.10
2015/05/21 05:42:10| Processing: http_access allow localhost
 2015/05/21 05:45:51| Processing: ssl_bump server-first all
2015/05/21 05:42:10| Processing: sslcrtd_program /usr/lib/squid3/ssl_crtd
-s /var/spool/squid3_ssldb -M 4MB
2015/05/21 05:42:10| Processing: sslcrtd_children 50 startup=1 idle=1
2015/05/21 05:42:10| Processing: acl TrustedName url_regex ^
https://www.facebook.com
2015/05/21 05:42:10| Processing: acl BadSite ssl_error
SQUID_X509_V_ERR_DOMAIN_MISMATCH
2015/05/21 05:42:10| Processing: sslproxy_cert_error allow TrustedName
2015/05/21 05:42:10| Processing: sslproxy_cert_error allow BadSite
2015/05/21 05:42:10| Processing: sslproxy_cert_error deny all
2015/05/21 05:42:10| Processing: acl network src 172.16.1.0/24
192.168.207.0/24
2015/05/21 05:42:10| Processing: http_access allow network
2015/05/21 05:42:10| Processing: acl purge method PURGE
2015/05/21 05:42:10| Processing: http_access deny !Safe_ports
2015/05/21 05:42:10| Processing: http_access deny CONNECT !SSL_ports
2015/05/21 05:42:10| Processing: http_access deny all
2015/05/21 05:42:10| Processing: always_direct allow all
2015/05/21 05:42:10| Processing: forward_max_tries 25
2015/05/21 05:42:10| Processing: never_direct allow all
2015/05/21 05:42:10| Processing: max_filedesc 16384
2015/05/21 05:42:10| Processing: dns_nameservers 8.8.8.8
2015/05/21 05:42:10| Processing: dns_nameservers 8.8.4.4
2015/05/21 05:42:10| Processing: positive_dns_ttl 8 hours
2015/05/21 05:42:10| Processing: negative_dns_ttl 30 seconds
2015/05/21 05:42:10| Initializing https proxy context
2015/05/21 05:42:10| Initializing http_port 172.16.1.10:3128 SSL context
2015/05/21 05:42:10| Using certificate in /etc/squid3/ssl/myCA.pem

any idea?

thanxs
-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150521/34e88c73/attachment-0001.html>


More information about the squid-users mailing list