[squid-users] Fwd: Squid https bump and google apps
Yuri Voinov
yvoinov at gmail.com
Sat Jan 16 08:29:45 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
16.01.16 7:57, Lucas Castro пишет:
>
>
> On 15-01-2016 17:26, Yuri Voinov wrote:
>>
>> # -------------------------------------
>> # Access Control Lists
>> # -------------------------------------
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>
>> acl SSL_ports port 443
>> acl SSL_ports port 8443 # Telecom exclusion
>> acl SSL_ports port 2041 # ICQ/MRA
>> acl SSL_ports port 2042 # ICQ/MRA
>> acl SSL_ports port 5160 # ICQ/MRA
>> acl SSL_ports port 5228 # ICQ/MRA
>> acl SSL_ports port 10443 # GZakup exclusion
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>>
>> # Common methods
>> acl CONNECT method CONNECT
>> acl PURGE method PURGE
>> acl GET method GET
>>
>> # Windows update acls
>> acl windowsupdate dstdomain sls.update.microsoft.com.akadns.net
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> acl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain download.windowsupdate.com
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> acl windowsupdate dstdomain c.microsoft.com
>> acl windowsupdate dstdomain www.download.windowsupdate.com
>> acl windowsupdate dstdomain wustat.windows.com
>> acl windowsupdate dstdomain crl.microsoft.com
>> acl windowsupdate dstdomain sls.microsoft.com
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>>
>> # Windows update methods
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>>
>> # Youtube & CDN store rewrite ACLs
>> acl store_rewrite_list urlpath_regex
>>
\.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))\?
>> \/ads\?
>> acl store_rewrite_list_web url_regex
>> "/usr/local/squid/etc/url.rewrite_web"
>> acl store_rewrite_list_web_cdn url_regex
>> "/usr/local/squid/etc/url.rewrite_cdn"
>>
>> # Adobe/Java and other updates
>> acl adobe_java_updates url_regex "/usr/local/squid/etc/url.updates"
>>
>> # No-cache
>> acl dont_cache_url url_regex "/usr/local/squid/etc/url.nocache"
>>
>> # Tor acl
>> acl tor_url dstdom_regex -i "/usr/local/squid/etc/url.tor"
>>
>> # SSL bump acl
>> acl net_bump src "/usr/local/squid/etc/net.bump"
>>
>> # TLD acl
>> acl block_tld dstdomain "/usr/local/squid/etc/dstdom.tld"
>>
>> # -------------------------------------
>> # Access parameters
>> # -------------------------------------
>> # Deny requests to unsafe ports
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>> # Allow purge from localhost
>> http_access allow PURGE localhost
>> http_access deny PURGE
>>
>> # Normalize Accept-Encoding to support compression via eCAP
>> request_header_access Accept-Encoding deny all
>> request_header_replace Accept-Encoding gzip;q=1.0, identity;q=0.5, *;q=0
>> # Disable alternate protocols
>> request_header_access Alternate-Protocol deny all
>> reply_header_access Alternate-Protocol deny all
>> # Disable HSTS
>> reply_header_access Strict-Transport-Security deny all
>> reply_header_replace Strict-Transport-Security max-age=0;
>> includeSubDomains
>> # Remove User-Agent from Vary
>> reply_header_access Vary deny all
>> reply_header_replace Vary Accept-Encoding
>> # Workaround 4253
>> request_header_access Surrogate-Capability deny all
>>
>> # Block top level domains
>> http_access deny block_tld
>> deny_info TCP_RESET block_tld
>>
>> # Rule allowing access from local networks
>> http_access allow localnet
>> http_access allow localhost
>>
>> # No cache directives
>> cache deny dont_cache_url
>>
>> # ICP/HTCP access
>> icp_access allow localnet
>> icp_access deny all
>> htcp_access allow localnet
>> htcp_access deny all
>>
>> # 302 loop
>> acl text_mime rep_mime_type text/html text/plain
>> acl http302 http_status 302
>> store_miss deny text_mime http302
>> send_hit deny text_mime http302
>>
>> # Windows updates rules
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow windowsupdate localnet
>> http_access allow windowsupdate localhost
>>
>> # Minimum ICQ configuration,
>> # works for QIP 2012 and squid/ssl_bump, login.icq.com port should be
>> either 443 or 5190
>> #
>> acl icq dstdomain login.icq.com
>> acl icqport port 443
>> acl icqport port 2041
>> acl icqport port 2042
>> acl icqport port 5190
>> # mail.ru network where ICQ/MRIM servers reside
>> acl icqip dst 178.237.16.0/20
>> acl icqip dst 217.69.128.0/20
>> # isgeek.info jabber
>> acl icqip dst 94.23.0.0/16
>>
>> http_access allow CONNECT icq
>> http_access allow CONNECT icqip icqport
>>
>> # SSL bump rules
>> acl DiscoverSNIHost at_step SslBump1
>> # ICQ/MRA must splice first
>> ssl_bump splice DiscoverSNIHost icq
>> ssl_bump splice DiscoverSNIHost icqip icqport
>> ssl_bump peek DiscoverSNIHost
>> acl NoSSLIntercept ssl::server_name_regex -i
>> "/usr/local/squid/etc/url.nobump"
>> acl NoSSLIntercept ssl::server_name_regex -i
>> "/usr/local/squid/etc/url.tor"
>> ssl_bump splice NoSSLIntercept
>> ssl_bump bump net_bump
>>
>> # Privoxy+Tor access rules
>> never_direct allow tor_url
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # -------------------------------------
>> # HTTP parameters
>> # -------------------------------------
>> # Local Privoxy is cache parent
>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>
>> cache_peer_access 127.0.0.1 allow tor_url
>> cache_peer_access 127.0.0.1 deny all
>>
>> # Don't cache 404 long time
>> negative_ttl 5 minutes
>> positive_dns_ttl 15 hours
>> negative_dns_ttl 1 minutes
>>
>> # -------------------------------------
>> # Cache parameters
>> # -------------------------------------
>> # dhparams is before squid-3.5.12-20151222-r13967
>> # tls-dh is AFTER squid-3.5.12-20151222-r13967
>> http_port 3126 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
>> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3
>> tls-dh=/usr/local/squid/etc/dhparam.pem
> I've never ever understood why configure ssl-bump related on http_port,
> It's redirected port 80 to it, or just serve the certificate to client?
My server use both proxy modes: transparent interception and forwarding.
This line is forwarding port. Clients points to it using PAC.
>
>> http_port 3127
>> http_port 3128 intercept
>> # dhparams is before squid-3.5.12-20151222-r13967
>> # tls-dh is AFTER squid-3.5.12-20151222-r13967
>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
>> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3
>> tls-dh=/usr/local/squid/etc/dhparam.pem
>> sslproxy_capath /etc/opt/csw/ssl/certs
>> # SINGLE_DH_USE is 3.5 before squid-3.5.12-20151222-r13967
>> #sslproxy_options NO_SSLv3,SINGLE_DH_USE
>> # SINGLE_ECDH_USE is AFTER squid-3.5.12-20151222-r13967
>> sslproxy_options NO_SSLv3,SINGLE_ECDH_USE
>> sslproxy_cipher
>>
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db
>> -M 4MB
>>
>> # Specify ICP/HTCP explicity
>> icp_port 3130
>> htcp_port 4827
>>
>> # Cache manager
>> cache_mgr mymail at gmail.com
>>
>> # Cache manager password
>> cachemgr_passwd disable shutdown reconfigure rotate
>> cachemgr_passwd xxxxxxxx all
>>
>> # Cache user
>> cache_effective_user squid
>> cache_effective_group squid
>>
>> # Forces reload-into-ims
>> reload_into_ims on
>>
>> # Hide internal networks details outside
>> via off
>> forwarded_for delete
>>
>> # Do not show Squid version
>> httpd_suppress_version_string on
>>
>> # WCCPv2 parameters
>> wccp2_router 192.168.200.2
>> wccp2_forwarding_method l2
>> wccp2_return_method l2
>> wccp2_rebuild_wait off
>> wccp2_service standard 0
>> wccp2_service dynamic 70
>> wccp2_service_info 70 protocol=tcp
>> flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240
ports=443
>>
>> # Prioritization of local hits
>> qos_flows tos local-hit=0x68
>>
>> # Specify local DNS cache
>> dns_nameservers 127.0.0.1
>>
>> dns_v4_first on
>> ipcache_size 4096
>>
>> # -------------------------------------
>> # Adaptation parameters
>> # -------------------------------------
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_preview_enable on
>> icap_preview_size 1024
>> icap_service service_avi_req reqmod_precache
>> icap://localhost:1344/squidclamav bypass=off
>> adaptation_access service_avi_req allow all
>> icap_service service_avi_resp respmod_precache
>> icap://localhost:1344/squidclamav bypass=on
>> adaptation_access service_avi_resp allow all
>>
>> ecap_enable on
>> acl HTTP_STATUS_OK http_status 200
>> loadable_modules /usr/local/lib/ecap_adapter_gzip.so
>> ecap_service gzip_service respmod_precache
>> ecap://www.vigos.com/ecap_gzip bypass=off
>> adaptation_access gzip_service allow HTTP_STATUS_OK
>>
>> # -------------------------------------
>> # Memory parameters
>> # -------------------------------------
>> cache_mem 512 Mb
>>
>> #memory_pools off
>>
>> maximum_object_size_in_memory 1 MB
>>
>> # -------------------------------------
>> # Tuning parameters
>> # -------------------------------------
>> memory_replacement_policy heap LRU
>> cache_replacement_policy heap LFUDA
>>
>> store_avg_object_size 85 KB
>> # Default is 20
>> store_objects_per_bucket 32
>>
>> # Shutdown delay before terminate connections
>> shutdown_lifetime 15 second
>>
>> # SMP
>> #workers 2
>>
>> # -------------------------------------
>> # Store parameters
>> # -------------------------------------
>> maximum_object_size 8 Gb
>>
>> cache_dir diskd /data/cache/d1 32767 16 256
>> cache_dir diskd /data/cache/d2 32767 16 256
>> cache_dir diskd /data/cache/d3 32767 16 256
>> cache_dir diskd /data/cache/d4 32767 16 256
>>
>> # -------------------------------------
>> # Process/log parameters
>> # -------------------------------------
>> #logformat my_squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
>> #access_log daemon:/data/cache/log/access.log buffer-size=256KB
>> logformat=my_squid !tor_url
>> access_log daemon:/data/cache/log/access.log buffer-size=256KB
>> logformat=squid !tor_url
>> # Don't log ICP queries
>> log_icp_queries off
>>
>> # Turn off internal log rotation
>> logfile_rotate 0
>>
>> cache_log /data/cache/log/cache.log
>> #cache_log /data/cache/log/cache${process_number}.log
>> cache_store_log none
>>
>> # Default is off
>> buffered_logs on
>>
>> coredump_dir /var/core
>>
>> pid_filename /tmp/squid.pid
>>
>> strip_query_terms off
>>
>> # -------------------------------------
>> # Content parameters
>> # -------------------------------------
>> #range_offset_limit none store_rewrite_list
>> #range_offset_limit none store_rewrite_list_web
>> #range_offset_limit none store_rewrite_list_web_cdn
>> #range_offset_limit none adobe_java_updates
>> #range_offset_limit none windowsupdate
>> range_offset_limit none all
>>
>> # Updates: Windows, Adobe, Java
>> refresh_pattern -i
>> microsoft.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 80%
>> 43200 reload-into-ims
>> refresh_pattern -i
>> windowsupdate.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320
>> 80% 43200 reload-into-ims
>> refresh_pattern -i
>>
my.windowsupdate.website.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip)
>>
>> 4320 80% 43200 reload-into-ims
>> refresh_pattern -i adobe.com.*\.(zip|exe) 4320 80% 43200
>> reload-into-ims
>> refresh_pattern -i java.com.*\.(zip|exe) 4320 80% 43200
>> reload-into-ims
>> refresh_pattern -i sun.com.*\.(zip|exe) 4320 80% 43200
>> reload-into-ims
>> refresh_pattern -i google\.com.*\.(zip|exe) 4320 80% 43200
>> reload-into-ims
>> refresh_pattern -i macromedia\.com.*\.(zip|exe) 4320 80%
>> 43200 reload-into-ims
>> # Other setups and updates
>> refresh_pattern -i \.(zip|(g|b)z2?|exe|msi|cvd)$ 4320 80%
>> 43200 reload-into-ims
>> # Cacle squidinternal
>> refresh_pattern -i video-srv\.youtube\.squidinternal 0
0% 0
>> refresh_pattern -i squidinternal 14400 100% 518400
>> override-expire override-lastmod refresh-ims reload-into-ims
>> ignore-private ignore-auth ignore-must-revalidate store-stale
>> ignore-no-store
>> # Keep swf in cache
>> refresh_pattern -i \.swf$ 10080 100% 43200 override-expire
>> reload-into-ims ignore-private
>> # .NET cache
>> refresh_pattern -i \.((a|m)s(h|p)x?)$ 10080 100% 43200
>> reload-into-ims ignore-private
>> # Other long-lived items
>> refresh_pattern -i
>>
\.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))(\?.*)?$
>>
>> 14400 100% 518400 override-expire override-lastmod
>> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
>> refresh_pattern -i
>>
\.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$
>>
>> 10080 100% 86400 override-expire override-lastmod
>> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
>> # Default patterns
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320 reload-into-ims
>>
>> # -------------------------------------
>> # Rewriter parameters
>> # -------------------------------------
>> # ufdbGuard rewriter
>> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -C
>> url_rewrite_children 64 startup=0 idle=1 concurrency=2
>> redirector_bypass off
>>
>> # Storeurl rewriter
>> store_id_program /usr/local/squid/libexec/storeid_file_rewrite
>> /usr/local/squid/etc/storeid.conf
>> store_id_children 32 startup=0 idle=1 concurrency=4
>> # Store ID access
>> store_id_access deny !GET
>> store_id_access allow store_rewrite_list
>> store_id_access allow store_rewrite_list_web
>> store_id_access allow store_rewrite_list_web_cdn
>> store_id_access allow adobe_java_updates
>> store_id_access deny all
>> store_id_bypass off
>> ###
>>
>> I procrastinate to extract only ssl bump related rows and comments, so
>> this is full 3.5.x config from production server. :)
>>
>> 16.01.16 1:56, Lucas Castro пишет:
>>
>>
>>> On 15-01-2016 16:18, Yuri Voinov wrote:
>>>> _MISS/200 30415 GET
>>>>
>>
https://www.google.com/search?q=Sun+2540-M2+Performance+enhancer&biw=1280&bih=699&noj=1&ei=oAmZVvnxCsW3afKevLAO&start=10&sa=N
>>>> HIER_DIRECT/216.58.208.227 text/html
>>>> 15/Jan/2016:21:03:23 +0600 356 127.0.0.1 TAG_NONE/200 0 CONNECT
>>>> ssl.gstatic.com:443 - HIER_DIRECT/178.88.163.157 -
>>>> 15/Jan/2016:21:03:24 +0600 518 127.0.0.1 TCP_MISS/20
>>> Can you share your ssl setup?
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWmf95AAoJENNXIZxhPexG0/4H/RPiw0gQ7V0eKhUUepI02Ux8
X+XVeT5uo4jv8j4UL/Q2RwPV5E784x5U1m0aipPl/9zT++IP85vSPbX3F818+oE4
9woW9DPJzC1p60WIOTFQFSlSmgTvVvD5u+68vJbHMMsdkalikYp6Ayw6iLqrYco7
yOlhX1mRRx6Difs6hYBDaYDYyL4pzFkzrPBxK3hFi+dGfdfkUiQpTKmtCqYpLFlT
qUySISE+WFbTlt+ZHLPEW5roktHqj8U/0jMRRljdBjjcEXgm7P9XPfSoViCYXlVU
yzRf7ThZ07ta19PZMhpAdst1gswFFAxPd1uQ+eqw8OcoNyJoWqNaSzBreTTZlbM=
=qFrf
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160116/77264836/attachment-0001.html>
More information about the squid-users
mailing list