[squid-users] ssl-bump

Alex Samad alex at samad.com.au
Tue Feb 16 19:52:10 UTC 2016 

Bump... No comments ?

On 10 February 2016 at 09:55, Alex Samad <alex at samad.com.au> wrote:
> auth_param negotiate program /usr/bin/ntlm_auth
> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
> auth_param negotiate children 20 startup=0 idle=3
> auth_param negotiate keep_alive on
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --configfile
> /etc/samba/smb.conf-squid
> auth_param ntlm children 20 startup=0 idle=3
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic --configfile
> /etc/samba/smb.conf-squid
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
> acl localnet src 10.32.80.0/24
> acl localnet_auth src 10.32.0.0/14
> acl localnet_auth src 10.172.0.0/16
> acl localnet_auth src 10.43.200.51/32
> acl localnet_guest src 10.172.202.0/24
> acl localnet_appproxy src 10.172.203.30/32
> acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
> acl FTP proto FTP
> acl DMZSRV src 10.32.20.110
> acl DMZSRV src 10.32.20.111
> acl MsUpdateAllowed src 10.32.70.100
> acl DirectExceptions url_regex -i
> ^http://(www.|)smh.com.au/business/markets-live/.*
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl CONNECT method CONNECT
> acl SQUIDSPECIAL urlpath_regex ^/squid-internal-static/
> acl AuthorizedUsers proxy_auth REQUIRED
> acl icp_allowed src 10.32.20.110/32
> acl icp_allowed src 10.32.20.111/32
> acl icp_allowed src 10.172.203.30/32
> acl icp_allowed src 10.172.203.34/32
> acl windowsupdate_url url_regex -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
> acl windowsupdate_url url_regex -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
> acl windowsupdate_url url_regex -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
> acl notwindowsupdate_url dstdomain (ctldl|crl).windowsupdate.com
> http_access allow manager localhost
> http_access allow manager icp_allowed
> http_access deny manager
> http_access allow icp_allowed
> http_access allow SQUIDSPECIAL
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access allow localnet_appproxy
> http_access deny !localnet_auth
> http_access allow localnet_guest sblYBOveride
> http_access deny localnet_guest sblMal
> http_access deny localnet_guest sblPorn
> http_access allow localnet_guest
> http_access allow nonAuthSrc
> http_access allow nonAuthDom
> http_access allow sblYBOveride FTP
> http_access allow sblYBOveride AuthorizedUsers
> http_access deny sblMal
> http_access deny sblPorn
> http_access allow FTP
> http_access allow AuthorizedUsers
> http_access deny all
> http_port 3128
> http_port 8080
>
>  # is there some way to combine 1 ports on the same line ?
>
> #http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ybsquidca.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> #http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/ybsquidca.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> cache_mem 40960 MB
> cache_mgr operations.manager at abc.com
> cache_dir aufs /var/spool/squid 550000 16 256
> always_direct allow FTP
> always_direct allow DMZSRV
> always_direct allow DirectExceptions
> ftp_passive off
> ftp_epsv_all off
> miss_access allow notwindowsupdate_url
> miss_access allow MsUpdateAllowed windowsupdate_url
> miss_access deny !DMZSRV windowsupdate_url
> coredump_dir /var/spool/squid
> range_offset_limit none windowsupdate_url
> maximum_object_size none windowsupdate_url
> quick_abort_min -1
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
> 80% 129600 reload-into-ims
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
> 4320 80% 129600 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
> 80% 129600 reload-into-ims
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query
> no-delay allow-miss
> icp_port 0
> icp_access allow icp_allowed
> icp_access deny all
> htcp_port 4827
> htcp_access allow icp_allowed
> htcp_access deny all
> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
> cache deny nonCacheDom
> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
> cache deny nonCacheURL
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/srv_clamav
> adaptation_access service_req allow all
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/srv_clamav
> adaptation_access service_resp allow all
> ipcache_size 10240
> forwarded_for delete
> cache_swap_low 90
> cache_swap_high 95
> log_icp_queries off
> icap_preview_enable on
> icap_preview_size 1024
> httpd_suppress_version_string on
> max_filedesc 8192
> delay_pools 2
> delay_class 1 1
> delay_parameters 1 1310720/2621440
> acl Delay_Domain dstdomain -i "/etc/squid/lists/delayDom.lst"
> delay_access 1 deny DMZSRV
> delay_access 1 allow Delay_Domain
> delay_class 2 1
> delay_parameters 2 7864320/104857602
> delay_access 2 deny DMZSRV
> delay_access 2 allow ALL
>
> #I had the ssl bump stuff commented out for now after testing
> # uncommented for here
>
>
> ##
> ## # http://wiki.squid-cache.org/Features/SslPeekAndSplice
> ##
>
>
> # ssl-bump
> # pick up from a file
> #acl NoBump ssl::server_name "/etc/squid/lists/noSSLPeek.lst"
> acl spliceOnly ssl::server_name .abc.com
>
> # Alex test machine
> acl testIP src 10.172.208.105/32
>
> # for testing
> acl haveServerName ssl::server_name .nab.com.au
>
>
> # Splice indeterminate traffic.
> ssl_bump splice all
> ssl_bump splice !testIP
> ssl_bump splice spliceOnly
> #ssl_bump splice NoBump
> #ssl_bump bump haveServerName
> ssl_bump bump all
> ssl_bump peek all
> ssl_bump splice all
>
>
>
> On 10 February 2016 at 04:36, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 9/02/2016 11:17 p.m., ksv rgh wrote:
>>> @Alex, could you please share the config options that you set while
>>> building squid for ssl-bumping.
>>
>> The build options for ssl-bump features are these:
>>
>>   ./configure --with-openssl --enable-ssl-crtd
>>
>> If (and only if) you have OpenSSL installed at a non-default location
>> such as /custom/path/...  then use --with-openssl=/custom/path .
>>
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list