[squid-users] squid 3.5.4 and ssl-bump

Tony Peña emperor.cu at gmail.com
Fri May 22 07:12:53 UTC 2015 

Hi Amos...

ok now I upgrade recompile again everything from 3.4.8 to 3.5.4

this is the conf

 root at debian-template:/usr/local/squid/sbin# ./squid -k parse
2015/05/22 03:08:17| Startup: Initializing Authentication Schemes ...
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'basic'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'digest'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'negotiate'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'ntlm'
2015/05/22 03:08:17| Startup: Initialized Authentication.
2015/05/22 03:08:17| Processing Configuration File: /etc/squid3/squid.conf
(depth 0)
2015/05/22 03:08:17| Processing: http_port 172.16.1.10:3128
2015/05/22 03:08:17| Processing: https_port 172.16.1.10:3129 intercept
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/myCA.pem cipher=ECDHE-RSA-RC4
-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

2015/05/22 03:08:17| Starting Authentication on port 172.16.1.10:3129
2015/05/22 03:08:17| Disabling Authentication on port 172.16.1.10:3129
(interception enabled)
2015/05/22 03:08:17| Processing: acl QUERY urlpath_regex cgi-bin \?
2015/05/22 03:08:17| Processing: no_cache deny QUERY
2015/05/22 03:08:17| Processing: access_log /var/log/squid3/access.log
squid
2015/05/22 03:08:17| Processing: coredump_dir /var/spool/squid3
2015/05/22 03:08:17| Processing: refresh_pattern ^ftp:       1440    20%
10080
2015/05/22 03:08:17| Processing: refresh_pattern ^gopher:    1440    0%
 1440
2015/05/22 03:08:17| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
2015/05/22 03:08:17| Processing: refresh_pattern .       0   20% 4320
2015/05/22 03:08:17| Processing: cache_dir aufs /var/spool/squid3 4096 16
256
2015/05/22 03:08:17| Processing: refresh_pattern -i
\.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
2015/05/22 03:08:17| Processing: acl SSL_ports port 25      # Protocols
2015/05/22 03:08:17| Processing: acl SSL_ports port 110      # to can
2015/05/22 03:08:17| Processing: acl SSL_ports port 143     # allow hit
2015/05/22 03:08:17| Processing: acl SSL_ports port 465     # gmail account
2015/05/22 03:08:17| Processing: acl SSL_ports port 587     # on the
2015/05/22 03:08:17| Processing: acl SSL_ports port 993     # internet
2015/05/22 03:08:17| Processing: acl SSL_ports port 995     # behind a
firewall
2015/05/22 03:08:17| Processing: acl SSL_ports port 443
2015/05/22 03:08:17| Processing: acl SSL_ports port 563
2015/05/22 03:08:17| Processing: acl Safe_ports port 80      # http
2015/05/22 03:08:17| Processing: acl Safe_ports port 21      # ftp
2015/05/22 03:08:17| Processing: acl Safe_ports port 443     # https
2015/05/22 03:08:17| Processing: acl Safe_ports port 70      # gopher
2015/05/22 03:08:17| Processing: acl Safe_ports port 210     # wais
2015/05/22 03:08:17| Processing: acl Safe_ports port 1025-65535  #
unregistered ports
2015/05/22 03:08:17| Processing: acl Safe_ports port 280     # http-mgmt
2015/05/22 03:08:17| Processing: acl Safe_ports port 488     # gss-http
2015/05/22 03:08:17| Processing: acl Safe_ports port 591     # filemaker
2015/05/22 03:08:17| Processing: acl Safe_ports port 777     # multiling
http
2015/05/22 03:08:17| Processing: acl CONNECT method CONNECT
2015/05/22 03:08:17| Processing: acl purge method PURGE
2015/05/22 03:08:17| Processing: acl network src 172.16.1.0/24
2015/05/22 03:08:17| Processing: cache_mem 64 MB
2015/05/22 03:08:17| Processing: http_access allow manager localhost
2015/05/22 03:08:17| Processing: http_access deny manager
2015/05/22 03:08:17| Processing: http_access deny !Safe_ports
2015/05/22 03:08:17| Processing: http_access deny CONNECT !SSL_ports
2015/05/22 03:08:17| Processing: http_access allow localhost
2015/05/22 03:08:17| Processing: http_access allow network CONNECT
2015/05/22 03:08:17| Processing: http_access deny all
2015/05/22 03:08:17| Processing: ssl_bump server-first all
2015/05/22 03:08:17| Processing: sslcrtd_program
/usr/local/squid/libexec/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
2015/05/22 03:08:17| Processing: sslproxy_version 3
2015/05/22 03:08:17| Processing: sslproxy_options ALL
2015/05/22 03:08:17| Processing: always_direct allow all
2015/05/22 03:08:17| Processing: never_direct allow all
2015/05/22 03:08:17| Processing: max_filedesc 16384
2015/05/22 03:08:17| Processing: dns_nameservers 8.8.8.8
2015/05/22 03:08:17| Processing: dns_nameservers 8.8.4.4
2015/05/22 03:08:17| Processing: positive_dns_ttl 8 hours
2015/05/22 03:08:17| Processing: negative_dns_ttl 30 seconds
2015/05/22 03:08:17| Initializing https proxy context
2015/05/22 03:08:17| Initializing https_port 172.16.1.10:3129 SSL context
2015/05/22 03:08:17| Using certificate in /etc/squid3/ssl/myCA.pem

and now the error is different.

can't see any site... http or https

and the logs said...

 1432278470.317      0 172.16.1.20 TAG_NONE/400 388 HEAD
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.320      0 172.16.1.20 TAG_NONE/400 2223 GET
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.323      0 172.16.1.20 TAG_NONE/400 388 HEAD
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.327      0 172.16.1.20 TAG_NONE/400 2223 GET
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278472.729      0 172.16.1.20 TAG_NONE/400 2193 GET
/pki/crl/products/MicRooCerAut_2010-06-23.crl - HIER_NONE/- text/html
1432278477.871      0 172.16.1.20 TAG_NONE/400 2159 GET
/pki/crl/products/WinPCA.crl - HIER_NONE/- text/html
1432278482.222      0 172.16.1.20 TAG_NONE/400 2333 POST
/service/update2?cup2key=5:1028882439&cup2hreq=1beabeae3a9008aa500f171f3efd92cac82574e42989d76d9104766a07e2e021
- HIER_NONE/- text/html
1432278482.244      0 172.16.1.20 TAG_NONE/400 2333 POST
/service/update2?cup2key=5:3993259034&cup2hreq=1beabeae3a9008aa500f171f3efd92cac82574e42989d76d9104766a07e2e021
- HIER_NONE/- text/html
1432278483.049      0 172.16.1.20 TAG_NONE/400 2201 GET
/pki/crl/products/MicRooCerAut2011_2011_03_22.crl - HIER_NONE/- text/html

remember we need to check http normal use with acl syntaxs (that part is
ok, just need the config ok to can see the same using this ssl-bump for
example domains as facebook or similar)

thanxs
-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150522/6418d1fd/attachment.html>

More information about the squid-users mailing list