[squid-users] Problem with ssl_crtd

Eduardo Carneiro eduardoocarneiro at gmail.com
Thu Dec 29 11:10:01 UTC 2016


I admit that I am sad because it is a bug and has not been solved yet. In
this way, I will not be able to use this feature while this bug has not been
solved because, if I enable ssl-bump on my port, the squid sporadically
stops.

Here is the important part to us, of my squid.conf. I use url rewrite, store
id and some regular expressions to make dynamic cache content like Youtube,
per example.

---
url_rewrite_program /usr/local/bin/simplerewrite

acl rewritedoms dstdomain .ubuntu.com .fbcdn.net .akamaihd.net
acl yt url_regex -i googlevideo.*videoplayback
acl globo url_regex -i ^https?:\/\/voddownload[0-9]+\.video\.globo\.com.*
acl ubuntu url_regex -i ^https?:\/\/.*ubuntu.*.iso$
acl getmethod method GET

range_offset_limit none
quick_abort_min -1 KB

store_id_program /usr/local/bin/dynamic-cache -file
/usr/local/etc/dynamic-cache-db.txt
store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp referer=%{Referer}>h"
store_id_children 40 startup=10 idle=5 concurrency=0
store_id_access deny !getmethod
store_id_access allow rewritedoms
store_id_access allow yt
store_id_access allow globo
store_id_access allow ubuntu
store_id_access deny all

refresh_pattern -i squid\.internal 10080 90% 79900 override-lastmod
override-expire ignore-reload ignore-no-store ignore-must-revalidate
ignore-private ignore-auth ignore-no-cache
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms\.*).*$     
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)\.*).*$         
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i
\.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav\.*).*$
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)\.*).*$    
10800 80% 10800 ignore-no-cache override-expire override-lastmod
reload-into-ims

acl text-plain rep_mime_type text/plain
acl youtube_dom dstdomain .googlevideo.com
store_miss deny text-plain youtube_dom
send_hit deny text-plain youtube_dom

http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/ProxyCert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

strip_query_terms off
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
ssl_bump none localhost
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 128 MB
snmp_port 3401
max_filedescriptors 40960
detect_broken_pconn on
pipeline_prefetch off
half_closed_clients off
shutdown_lifetime 1 second
cache_mgr user at domain.com
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
balance_on_multiple_ip off

acl PURGE method PURGE
http_access deny PURGE !localhost

cache_mem 2097152 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 2048 KB
maximum_object_size 2 GB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /proxycache 307200 16 256
cache_access_log /var/log/squid/access.log
memory_pools off
log_icp_queries off
buffered_logs on
half_closed_clients off

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
GSS_C_NO_NAME
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
"dc=domain,dc=com" -D user at domain.com -w password -f
(|(userPrincipalName=%s)(sAMAccountName=%s)) -h dcserver.domain.com
auth_param basic children 10
auth_param basic realm Enter you password
auth_param basic credentialsttl 1 minute
---

If you find something wrong please report me.

Thanks.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-ssl-crtd-tp4680998p4681010.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list