[squid-users] Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Arsalan Hussain arsalan at preston.edu.pk
Tue Aug 1 09:45:09 UTC 2017 

Dear all,

i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and
delay pools to control bandwidth (my configuration files attached)


Problem what i facing and not understanding the issue.

1- clients who send request-  proxy setting working fine with this
directive http_port 3128
 -  Delay pools working fine, internet browsing to all clients using proxy
is working.

2- When transparent proxy clients sent http request via iptables ...
REDIRECT.
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem

I observed the problem in both cases when client sent request through
IPTABLES Squid service got failed. When i stop iptables and start squid
then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

3-  my objective to setup squid.
     *  Internet sharing to Proxy setting configured clients.
     *  Internet sharing to Proxy Transparent clients (Those request
directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO
Network for HTTP and HTTPS Requests without configuring proxy setting
(coming from wireless).
     *  delay pools for HTTP and HTTPS both browsing for proxy &
transparent clients.


Kindly if somebody help me to fix my problems and if share any setting
which works. I had added ssl bump certificate because the service was
crashing again and again without any reason after a few days or sometime on
same day.


-- 
With Regards,


*Arsalan Hussain*
*If you don't fight for what you want, don't cry for what you lose**.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170801/6eabec33/attachment-0001.html>
-------------- next part --------------

acl localnet src 192.168.5.0/24 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet

# for clients with a configured proxy.
http_port 3128
# for clients who are sent here via iptables ... REDIRECT.
http_port 3129 intercept
# for https clients who are sent here via iptables ... REDIRECT
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
4MB sslcrtd_children 8 startup=1 idle=1

ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

via off
forwarded_for off

# ******* DELAY POOLS **************
acl WebControl dstdomain .googlevideo.com
acl WebControl dstdomain .facebook.com
acl WebControl dstdomain .dailymotion.com
acl WebControl dstdomain .tw1.com
acl WebControl dstdomain .fbcdn.net
acl SpecialClients src 192.168.5.0/24
# General Rule for All unlimited
request_body_max_size 0 KB
delay_pools 2
delay_class 1 2
delay_class 2 2

delay_parameters 1 2000000/2000000 256000/256000
delay_parameters 2 950000/950000 130000/130000

delay_access 2 allow WebControl
delay_access 2 deny all
delay_access 1 allow localnet
delay_access 1 deny all

# ********************************** DELAT POOLS END
# debug options ALL
# Uncomment and adjust the following to add a disk cache directory.
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 1024 16 256
coredump_dir /var/cache/squid


# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
visible_hostname  admin.preston

---------------------------------------------------------------

IPTABLES SETTING

# Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8330155:414444635]
-A INPUT -i eth1 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A INPUT -j DROP
COMMIT
# Completed on Mon Jul 31 05:43:29 2017

More information about the squid-users mailing list