[squid-users] Fwd: Squid https bump and google apps

Lucas Castro lucascastroborges at gmail.com
Sat Jan 16 01:57:57 UTC 2016



On 15-01-2016 17:26, Yuri Voinov wrote:
>
> # -------------------------------------
> # Access Control Lists
> # -------------------------------------
> acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl SSL_ports port 8443        # Telecom exclusion
> acl SSL_ports port 2041        # ICQ/MRA
> acl SSL_ports port 2042        # ICQ/MRA
> acl SSL_ports port 5160        # ICQ/MRA
> acl SSL_ports port 5228        # ICQ/MRA
> acl SSL_ports port 10443    # GZakup exclusion
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
>
> # Common methods
> acl CONNECT method CONNECT
> acl PURGE method PURGE
> acl GET method GET
>
> # Windows update acls
> acl windowsupdate dstdomain sls.update.microsoft.com.akadns.net
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> # Windows update methods
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> # Youtube & CDN store rewrite ACLs
> acl store_rewrite_list urlpath_regex
> \.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))\?
> \/ads\?
> acl store_rewrite_list_web url_regex
> "/usr/local/squid/etc/url.rewrite_web"
> acl store_rewrite_list_web_cdn url_regex
> "/usr/local/squid/etc/url.rewrite_cdn"
>
> # Adobe/Java and other updates
> acl adobe_java_updates url_regex "/usr/local/squid/etc/url.updates"
>
> # No-cache
> acl dont_cache_url url_regex "/usr/local/squid/etc/url.nocache"
>
> # Tor acl
> acl tor_url dstdom_regex -i "/usr/local/squid/etc/url.tor"
>
> # SSL bump acl
> acl net_bump src "/usr/local/squid/etc/net.bump"
>
> # TLD acl
> acl block_tld dstdomain "/usr/local/squid/etc/dstdom.tld"
>
> # -------------------------------------
> # Access parameters
> # -------------------------------------
> # Deny requests to unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> # Allow purge from localhost
> http_access allow PURGE localhost
> http_access deny PURGE
>
> # Normalize Accept-Encoding to support compression via eCAP
> request_header_access Accept-Encoding deny all
> request_header_replace Accept-Encoding gzip;q=1.0, identity;q=0.5, *;q=0
> # Disable alternate protocols
> request_header_access Alternate-Protocol deny all
> reply_header_access Alternate-Protocol deny all
> # Disable HSTS
> reply_header_access Strict-Transport-Security deny all
> reply_header_replace Strict-Transport-Security max-age=0;
> includeSubDomains
> # Remove User-Agent from Vary
> reply_header_access Vary deny all
> reply_header_replace Vary Accept-Encoding
> # Workaround 4253
> request_header_access Surrogate-Capability deny all
>
> # Block top level domains
> http_access deny block_tld
> deny_info TCP_RESET block_tld
>
> # Rule allowing access from local networks
> http_access allow localnet
> http_access allow localhost
>
> # No cache directives
> cache deny dont_cache_url
>
> # ICP/HTCP access
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
>
> # 302 loop
> acl text_mime rep_mime_type text/html text/plain
> acl http302 http_status 302
> store_miss deny text_mime http302
> send_hit deny text_mime http302
>
> # Windows updates rules
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
>
> # Minimum ICQ configuration,
> # works for QIP 2012 and squid/ssl_bump, login.icq.com port should be
> either 443 or 5190
> #
> acl icq dstdomain login.icq.com
> acl icqport port 443
> acl icqport port 2041
> acl icqport port 2042
> acl icqport port 5190
> # mail.ru network where ICQ/MRIM servers reside
> acl icqip dst 178.237.16.0/20
> acl icqip dst 217.69.128.0/20
> # isgeek.info jabber
> acl icqip dst 94.23.0.0/16
>
> http_access allow CONNECT icq
> http_access allow CONNECT icqip icqport
>
> # SSL bump rules
> acl DiscoverSNIHost at_step SslBump1
> # ICQ/MRA must splice first
> ssl_bump splice DiscoverSNIHost icq
> ssl_bump splice DiscoverSNIHost icqip icqport
> ssl_bump peek DiscoverSNIHost
> acl NoSSLIntercept ssl::server_name_regex -i
> "/usr/local/squid/etc/url.nobump"
> acl NoSSLIntercept ssl::server_name_regex -i
> "/usr/local/squid/etc/url.tor"
> ssl_bump splice NoSSLIntercept
> ssl_bump bump net_bump
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # -------------------------------------
> # HTTP parameters
> # -------------------------------------
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> # Don't cache 404 long time
> negative_ttl 5 minutes
> positive_dns_ttl 15 hours
> negative_dns_ttl 1 minutes
>
> # -------------------------------------
> # Cache parameters
> # -------------------------------------
> # dhparams is before squid-3.5.12-20151222-r13967
> # tls-dh is AFTER squid-3.5.12-20151222-r13967
> http_port 3126 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3
> tls-dh=/usr/local/squid/etc/dhparam.pem
I've never ever understood why configure ssl-bump related on http_port,
It's redirected port 80 to it, or just serve the certificate to client?
> http_port 3127
> http_port 3128 intercept
> # dhparams is before squid-3.5.12-20151222-r13967
> # tls-dh is AFTER squid-3.5.12-20151222-r13967
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3
> tls-dh=/usr/local/squid/etc/dhparam.pem
> sslproxy_capath /etc/opt/csw/ssl/certs
> # SINGLE_DH_USE is 3.5 before squid-3.5.12-20151222-r13967
> #sslproxy_options NO_SSLv3,SINGLE_DH_USE
> # SINGLE_ECDH_USE is AFTER squid-3.5.12-20151222-r13967
> sslproxy_options NO_SSLv3,SINGLE_ECDH_USE
> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db
> -M 4MB
>
> # Specify ICP/HTCP explicity
> icp_port 3130
> htcp_port 4827
>
> # Cache manager
> cache_mgr mymail at gmail.com
>
> # Cache manager password
> cachemgr_passwd disable shutdown reconfigure rotate
> cachemgr_passwd xxxxxxxx all
>
> # Cache user
> cache_effective_user squid
> cache_effective_group squid
>
> # Forces reload-into-ims
> reload_into_ims on
>
> # Hide internal networks details outside
> via off
> forwarded_for delete
>
> # Do not show Squid version
> httpd_suppress_version_string on
>
> # WCCPv2 parameters
> wccp2_router 192.168.200.2
> wccp2_forwarding_method l2
> wccp2_return_method l2
> wccp2_rebuild_wait off
> wccp2_service standard 0
> wccp2_service dynamic 70
> wccp2_service_info 70 protocol=tcp
> flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443
>
> # Prioritization of local hits
> qos_flows tos local-hit=0x68
>
> # Specify local DNS cache
> dns_nameservers 127.0.0.1
>
> dns_v4_first on
> ipcache_size 4096
>
> # -------------------------------------
> # Adaptation parameters
> # -------------------------------------
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_avi_req reqmod_precache
> icap://localhost:1344/squidclamav bypass=off
> adaptation_access service_avi_req allow all
> icap_service service_avi_resp respmod_precache
> icap://localhost:1344/squidclamav bypass=on
> adaptation_access service_avi_resp allow all
>
> ecap_enable on
> acl HTTP_STATUS_OK http_status 200
> loadable_modules /usr/local/lib/ecap_adapter_gzip.so
> ecap_service gzip_service respmod_precache
> ecap://www.vigos.com/ecap_gzip bypass=off
> adaptation_access gzip_service allow HTTP_STATUS_OK
>
> # -------------------------------------
> # Memory parameters
> # -------------------------------------
> cache_mem 512 Mb
>
> #memory_pools off
>
> maximum_object_size_in_memory 1 MB
>
> # -------------------------------------
> # Tuning parameters
> # -------------------------------------
> memory_replacement_policy heap LRU
> cache_replacement_policy heap LFUDA
>
> store_avg_object_size 85 KB
> # Default is 20
> store_objects_per_bucket 32
>
> # Shutdown delay before terminate connections
> shutdown_lifetime 15 second
>
> # SMP
> #workers 2
>
> # -------------------------------------
> # Store parameters
> # -------------------------------------
> maximum_object_size 8 Gb
>
> cache_dir diskd /data/cache/d1 32767 16 256
> cache_dir diskd /data/cache/d2 32767 16 256
> cache_dir diskd /data/cache/d3 32767 16 256
> cache_dir diskd /data/cache/d4 32767 16 256
>                                                       
> # -------------------------------------
> # Process/log parameters
> # -------------------------------------
> #logformat my_squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
> #access_log daemon:/data/cache/log/access.log buffer-size=256KB
> logformat=my_squid !tor_url
> access_log daemon:/data/cache/log/access.log buffer-size=256KB
> logformat=squid !tor_url
> # Don't log ICP queries
> log_icp_queries off
>
> # Turn off internal log rotation
> logfile_rotate 0
>
> cache_log /data/cache/log/cache.log
> #cache_log /data/cache/log/cache${process_number}.log
> cache_store_log none
>
> # Default is off
> buffered_logs on
>
> coredump_dir /var/core
>
> pid_filename /tmp/squid.pid
>
> strip_query_terms off
>
> # -------------------------------------
> # Content parameters
> # -------------------------------------
> #range_offset_limit none store_rewrite_list
> #range_offset_limit none store_rewrite_list_web
> #range_offset_limit none store_rewrite_list_web_cdn
> #range_offset_limit none adobe_java_updates
> #range_offset_limit none windowsupdate
> range_offset_limit none all
>
> # Updates: Windows, Adobe, Java
> refresh_pattern -i
> microsoft.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)    4320 80%
> 43200    reload-into-ims
> refresh_pattern -i
> windowsupdate.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)    4320
> 80% 43200    reload-into-ims
> refresh_pattern -i
> my.windowsupdate.website.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 
>  
> 4320 80% 43200    reload-into-ims
> refresh_pattern -i adobe.com.*\.(zip|exe)    4320    80%    43200   
> reload-into-ims
> refresh_pattern -i java.com.*\.(zip|exe)    4320    80%    43200   
> reload-into-ims
> refresh_pattern -i sun.com.*\.(zip|exe)        4320    80%    43200   
> reload-into-ims
> refresh_pattern -i google\.com.*\.(zip|exe)    4320    80%    43200   
> reload-into-ims
> refresh_pattern -i macromedia\.com.*\.(zip|exe)    4320    80%   
> 43200    reload-into-ims
> # Other setups and updates
> refresh_pattern -i \.(zip|(g|b)z2?|exe|msi|cvd)$    4320    80%   
> 43200    reload-into-ims
> # Cacle squidinternal
> refresh_pattern    -i    video-srv\.youtube\.squidinternal    0    0%    0
> refresh_pattern    -i    squidinternal    14400    100%    518400   
> override-expire override-lastmod refresh-ims reload-into-ims
> ignore-private ignore-auth ignore-must-revalidate store-stale
> ignore-no-store
> # Keep swf in cache
> refresh_pattern -i \.swf$    10080    100%    43200    override-expire
> reload-into-ims ignore-private
> # .NET cache
> refresh_pattern -i \.((a|m)s(h|p)x?)$        10080    100%    43200   
> reload-into-ims ignore-private
> # Other long-lived items
> refresh_pattern -i
> \.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))(\?.*)?$ 
>  
> 14400    100%    518400    override-expire override-lastmod
> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
> refresh_pattern -i
> \.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$ 
>  
> 10080    100%    86400    override-expire override-lastmod
> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
> # Default patterns
> refresh_pattern -i (/cgi-bin/|\?)    0    0%    0
> refresh_pattern    .    0    20%    4320    reload-into-ims
>
> # -------------------------------------
> # Rewriter parameters
> # -------------------------------------
> # ufdbGuard rewriter
> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -C
> url_rewrite_children 64 startup=0 idle=1 concurrency=2
> redirector_bypass off
>
> # Storeurl rewriter
> store_id_program /usr/local/squid/libexec/storeid_file_rewrite
> /usr/local/squid/etc/storeid.conf
> store_id_children 32 startup=0 idle=1 concurrency=4
> # Store ID access
> store_id_access deny !GET
> store_id_access allow store_rewrite_list
> store_id_access allow store_rewrite_list_web
> store_id_access allow store_rewrite_list_web_cdn
> store_id_access allow adobe_java_updates
> store_id_access deny all
> store_id_bypass off
> ###
>
> I procrastinate to extract only ssl bump related rows and comments, so
> this is full 3.5.x config from production server. :)
>
> 16.01.16 1:56, Lucas Castro пишет:
>
>
> > On 15-01-2016 16:18, Yuri Voinov wrote:
> >> _MISS/200 30415 GET
> >>    
> https://www.google.com/search?q=Sun+2540-M2+Performance+enhancer&biw=1280&bih=699&noj=1&ei=oAmZVvnxCsW3afKevLAO&start=10&sa=N
> >>     HIER_DIRECT/216.58.208.227 text/html
> >>     15/Jan/2016:21:03:23 +0600    356 127.0.0.1 TAG_NONE/200 0 CONNECT
> >>     ssl.gstatic.com:443 - HIER_DIRECT/178.88.163.157 -
> >>     15/Jan/2016:21:03:24 +0600    518 127.0.0.1 TCP_MISS/20
> > Can you share your ssl setup?
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160115/8292cc6b/attachment-0001.html>


More information about the squid-users mailing list