[squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block
Alex Rousskov
rousskov at measurement-factory.com
Tue Dec 5 16:36:35 UTC 2017
On 12/05/2017 08:50 AM, erdosain9 wrote:
> i block some web (social networks).
> In firefox, all work fine, when someone try to go to facebook for example,
> they found with "access denied" (web from squid).
> But, in Chrome.. they get this error "net::err_cert_common_name_invalid".
Does that error match the generated certificate sent by Squid to a
blocked Chrome user? In other words, does that certificate have an
invalid common name (CN) field?
> Why??
To answer that question, I suggest comparing the following two certificates:
* the certificate sent by Squid to a blocked FireFox user
* the certificate sent by Squid to a blocked Chrome user
I also suggest comparing the following access.log entries:
* the line(s) corresponding to the blocked FireFox user request
* the line(s) corresponding to the blocked Chrome user request
The differences (if any) may help you answer the question.
HTH,
Alex.
> If all is working (they can use internet with https without problem, why
> with the page from squid they have that error)???
> All the users use Chrome so, this is a problem for me.
> Somebody can help me??
>
> Thanks to all!
>
> This is my config file
>
> ####GRUPOS DE IP
> acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
>
>
>
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/[hidden email]
> auth_param negotiate children 35 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param negotiate keep_alive on
>
> external_acl_type i-restringidos %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
> external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
> -g [hidden email]
> external_acl_type i-limitado %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
>
> #GRUPOS
> acl i-restringidos external i-restringidos
> acl i-full external i-full
> acl i-limitado external i-limitado
>
> ####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
> acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
> http_access deny ads
> #deny_info TCP_RESET ads
>
> ####Streaming
> acl youtube url_regex -i \.flv$
> acl youtube url_regex -i \.mp4$
> acl youtube url_regex -i watch?
> acl youtube url_regex -i youtube
> acl facebook url_regex -i facebook
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?
>
> ##Dominios denegados
> *acl restringidos dstdomain "/etc/squid/listas/restringidos.lst" (here is
> .whatsapp.com)
> *acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"
>
>
> #Puertos
> acl SSL_ports port 443
> acl SSL_ports port 4443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 20000
> acl SSL_ports port 10000
> acl SSL_ports port 2083
>
> acl Safe_ports port 631 # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 4443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 8443 # httpsalt
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080 # edesur y otros
> acl Safe_ports port 2199 # radio
> acl CONNECT method CONNECT
>
>
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow sin_autenticacion
> http_access deny i-restringidos !restringidos
> http_access allow i-limitado !dominios_denegados
> http_access allow i-full !dominios_denegados
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 127.0.0.1:3128
> http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
> key=/etc/squid/ssl_cert/myca.pem
>
> acl step1 at_step SslBump1
>
> acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"
>
> ssl_bump peek step1
> ssl_bump splice excludeSSL
> ssl_bump bump all
>
> #tcp_outgoing_address
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir diskd /var/spool/squid 15000 16 256
> cache_mem 500 MB
> #maximum_object_size_in_memory 1 MB
>
> cache_swap_low 70
> cache_swap_high 85
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
>
> #Your refresh_pattern
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private
> refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
> override-lastmod ignore-reload ignore-no-cache ignore-no-store
> reload-into-ims ignore-must-revalidate
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> ###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
> via off
> forwarded_for delete
>
> request_header_access From deny all
> request_header_access Server deny all
> request_header_access WWW-Authenticate deny all
> request_header_access Link deny all
> request_header_access Cache-Control deny all
> request_header_access Proxy-Connection deny all
> request_header_access X-Cache deny all
> request_header_access X-Cache-Lookup deny all
> request_header_access Via deny all
> request_header_access X-Forwarded-For deny all
> request_header_access Pragma deny all
> request_header_access Keep-Alive deny all
>
> ###
>
> #Pools para ancho de banda
> delay_pools 5
>
> #Ancho de Youtube
> delay_class 1 2
> delay_parameters 1 1000000/1000000 10000/100000
> delay_access 1 allow i-limitado youtube !facebook
> delay_access 1 deny all
>
> #Ancho de Facebook
> delay_class 2 2
> delay_parameters 2 1000000/1000000 50000/256000
> delay_access 2 allow i-limitado facebook !youtube
> delay_access 2 deny all
>
> #Ancho de banda YOUTUBE FULL
> delay_class 3 1
> delay_parameters 3 1000000/1000000
> delay_access 3 allow i-full youtube !facebook
> delay_access 3 deny all
>
> #Ancho de banda LIMITADO
> delay_class 4 2
> delay_parameters 4 4000000/4000000 100000/500000
> delay_access 4 allow i-limitado !youtube !facebook
> delay_access 4 deny all
>
> #Ancho de banda FULL
> delay_class 5 2
> delay_parameters 5 4000000/4000000 500000/1000000
> delay_access 5 allow i-full !youtube !facebook
> delay_access 5 deny all
>
> dns_nameservers 192.168.1.10 192.168.1.22
> visible_hostname squid.domain.lan
>
> # try connecting to first 25 ips of a domain name
> forward_max_tries 25
>
> # fix some ipv6 errors (recommended to comment out)
> dns_v4_first on
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list