[squid-users] Transparent squid configuration problem.
Rodrigo Cunha
rodrigo.root.rj at gmail.com
Thu Aug 23 21:05:15 UTC 2018
Tks, you have how-to for configure transparent proxy in squid current
version or in old versions to https?I want test in my envirimont lab.
Em qui, 23 de ago de 2018 às 16:32, Alex Rousskov <
rousskov at measurement-factory.com> escreveu:
> On 08/23/2018 12:40 PM, Rodrigo Cunha wrote:
> > Squid not work with transparent proxy in https,
>
> That statement is misleading or incorrect. Squid can be configured to
> successfully intercept HTTPS traffic in many environments. Intercepted
> TLS traffic can then be inspected and spliced (or even bumped to the
> HTTP level where possible and necessary).
>
>
> > that request is processed directily in your browser for security
> > pollices.
>
> Yes, but so is every request, including HTTPS requests that go through
> proxy/CONNECT tunnels. Intercepting proxies do not change much compared
> to forward proxies as far as browser HTTPS policies are concerned.
> Browsers consider them all to be (a part of) the untrusted internet
> between the client and the origin server.
>
>
> > If a server process requests https betwen client and server, that server
> > is a "man in the meadle",
>
> The same applies to processing HTTPS requests that go through
> proxy/CONNECT tunnels. Both intercepting and forward proxies are men in
> the middle.
>
>
> I am writing this correction just to reduce confusion for others that
> might find this email thread later. This correction itself does not
> address the OP problem.
>
>
> Alex.
>
>
> > Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович
> > <a.zubarev at generium.ru <mailto:a.zubarev at generium.ru>> escreveu:
> >
> > Thank you, Louis! ____
> >
> > Is there some workaround? May be I can to put that’s kind of sites
> > without filtering?____
> >
> > __ __
> >
> > *From:*squid-users <squid-users-bounces at lists.squid-cache.org
> > <mailto:squid-users-bounces at lists.squid-cache.org>> *On Behalf Of
> > *L.P.H. van Belle
> > *Sent:* Thursday, August 23, 2018 4:38 PM
> > *To:* squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > *Subject:* Re: [squid-users] Transparent squid configuration
> > problem.____
> >
> > __ __
> >
> > i noticed the following : dig caa habr.com <http://habr.com>
> > ;; ANSWER SECTION:
> > habr.com <http://habr.com>. 3600 IN CAA 0
> > iodef "mailto:iodef at habr.com"
> > habr.com <http://habr.com>. 3600 IN CAA 0
> > issue "comodoca.com <http://comodoca.com>"____
> >
> > So you cant bump this site, its protecting its certificates with a
> > CAA/DANE dns record. ____
> >
> > ____
> >
> > Greetz, ____
> >
> > ____
> >
> > Louis____
> >
> > ____
> >
> > ____
> >
> > ____
> >
> > __ __
> >
> >
> ------------------------------------------------------------------------
> >
> > *Van:*squid-users
> > [mailto:squid-users-bounces at lists.squid-cache.org] *Namens
> > *??????? ????????? ?????????????
> > *Verzonden:* donderdag 23 augustus 2018 15:22
> > *Aan:* squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > *Onderwerp:* [squid-users] Transparent squid configuration
> > problem.____
> >
> > Hi! I have some problems with configuration of squid.____
> >
> > __ __
> >
> > What I need:____
> >
> > http/https transparent proxy server based on Debian Stretch with
> > some blacklisted and whitelisted domains____
> >
> > __ __
> >
> > I’ve used many tutorials and squid.wiki through installation
> > process and it almost work! But I have the last problem.____
> >
> > __ __
> >
> > When I tried to connect to some websites like a https://habr.com
> > I have got HTTP ERROR 503. Ive tried to find solution at forums
> > but no one helped me. I know the answer is simple and its here
> > but cannt find it by myself.____
> >
> > __ __
> >
> > Here is my squid.conf, cache.log, access.log and iptables
> > script.____
> >
> > __ __
> >
> > Please help! J____
> >
> > __ __
> >
> > Squid.conf:____
> >
> > __ __
> >
> > dns_v4_first on____
> >
> > __ __
> >
> > acl network src 10.84.0.0/16 <http://10.84.0.0/16>____
> >
> > __ __
> >
> > acl SSL_ports port 443____
> >
> > acl Safe_ports port 80 # http____
> >
> > acl Safe_ports port 21 # ftp____
> >
> > acl Safe_ports port 443 # https____
> >
> > acl Safe_ports port 70 # gopher____
> >
> > acl Safe_ports port 210 # wais____
> >
> > acl Safe_ports port 1025-65535 # unregistered ports____
> >
> > acl Safe_ports port 280 # http-mgmt____
> >
> > acl Safe_ports port 488 # gss-http____
> >
> > acl Safe_ports port 591 # filemaker____
> >
> > acl Safe_ports port 777 # multiling http____
> >
> > acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" #
> > list of blocked websites here____
> >
> > acl CONNECT method CONNECT____
> >
> > __ __
> >
> > http_access deny blacklist____
> >
> > http_access deny !Safe_ports____
> >
> > http_access deny CONNECT !SSL_ports____
> >
> > __ __
> >
> > http_access allow all____
> >
> > __ __
> >
> > http_port 3130____
> >
> > __ __
> >
> > http_port 3128 intercept____
> >
> > https_port 3129 intercept ssl-bump
> > cert=/etc/squid/ssl_cert/vproxy2.pem
> > key=/etc/squid/ssl_cert/vproxy2.pem____
> >
> > __ __
> >
> > #always_direct allow all____
> >
> > ssl_bump server-first all____
> >
> > #sslproxy_cert_error deny all____
> >
> > #sslproxy_flags DONT_VERIFY_PEER____
> >
> > __ __
> >
> > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M
> > 4MB____
> >
> > sslcrtd_children 8 startup=1 idle=1____
> >
> > __ __
> >
> > coredump_dir /var/spool/squid____
> >
> > __ __
> >
> > # Add any of your own refresh_pattern entries above these.____
> >
> > refresh_pattern ^ftp: 1440 20% 10080____
> >
> > refresh_pattern ^gopher: 1440 0% 1440____
> >
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0____
> >
> > refresh_pattern . 0 20% 4320____
> >
> > __ __
> >
> > shutdown_lifetime 1 second____
> >
> > __ __
> >
> > cache.log:____
> >
> > __ __
> >
> > Maximum Resident Size: 123312 KB____
> >
> > Page faults with physical i/o: 7____
> >
> > 2018/08/23 16:19:27 kid1| Logfile: closing log
> > daemon:/var/log/squid/access.log____
> >
> > 2018/08/23 16:19:27 kid1| Logfile Daemon: closing log
> > daemon:/var/log/squid/access.log____
> >
> > 2018/08/23 16:19:27 kid1| Open FD UNSTARTED 6 DNS Socket
> > IPv6____
> >
> > 2018/08/23 16:19:27 kid1| Open FD READ/WRITE 7 DNS Socket
> > IPv4____
> >
> > 2018/08/23 16:19:27 kid1| Open FD UNSTARTED 10 IPC UNIX
> > STREAM Parent____
> >
> > 2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting
> > normally.____
> >
> > 2018/08/23 16:19:32 kid1| Set Current Directory to
> > /var/spool/squid____
> >
> > 2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23
> > for x86_64-pc-linux-gnu...____
> >
> > 2018/08/23 16:19:32 kid1| Service Name: squid____
> >
> > 2018/08/23 16:19:32 kid1| Process ID 1209____
> >
> > 2018/08/23 16:19:32 kid1| Process Roles: worker____
> >
> > 2018/08/23 16:19:32 kid1| With 65535 file descriptors
> available____
> >
> > 2018/08/23 16:19:32 kid1| Initializing IP Cache...____
> >
> > 2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6____
> >
> > 2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7____
> >
> > 2018/08/23 16:19:32 kid1| Adding domain generium.corp from
> > /etc/resolv.conf____
> >
> > 2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from
> > /etc/resolv.conf____
> >
> > 2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from
> > /etc/resolv.conf____
> >
> > 2018/08/23 16:19:32 kid1| Logfile: opening log
> > daemon:/var/log/squid/access.log____
> >
> > 2018/08/23 16:19:32 kid1| Logfile Daemon: opening log
> > /var/log/squid/access.log____
> >
> > 2018/08/23 16:19:32 kid1| Local cache digest enabled;
> > rebuild/rewrite every 3600/3600 sec____
> >
> > 2018/08/23 16:19:32 kid1| Store logging disabled____
> >
> > 2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated
> > 20164 objects____
> >
> > 2018/08/23 16:19:32 kid1| Target number of buckets: 1008____
> >
> > 2018/08/23 16:19:32 kid1| Using 8192 Store buckets____
> >
> > 2018/08/23 16:19:32 kid1| Max Mem size: 262144 KB____
> >
> > 2018/08/23 16:19:32 kid1| Max Swap size: 0 KB____
> >
> > 2018/08/23 16:19:32 kid1| Using Least Load store dir
> selection____
> >
> > 2018/08/23 16:19:32 kid1| Set Current Directory to
> > /var/spool/squid____
> >
> > 2018/08/23 16:19:32 kid1| Finished loading MIME types and
> icons.____
> >
> > 2018/08/23 16:19:32 kid1| HTCP Disabled.____
> >
> > 2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16____
> >
> > 2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0____
> >
> > 2018/08/23 16:19:32 kid1| Adaptation support is off.____
> >
> > 2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at
> > local=[::]:3130 remote=[::] FD 12 flags=9____
> >
> > 2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket
> > connections at local=[::]:3128 remote=[::] FD 13 flags=41____
> >
> > 2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped
> > HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14
> > flags=41____
> >
> > 2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...____
> >
> > 2018/08/23 16:19:32| pinger: ICMP socket opened.____
> >
> > 2018/08/23 16:19:32| pinger: ICMPv6 socket opened____
> >
> > 2018/08/23 16:19:32| Pinger exiting.____
> >
> > 2018/08/23 16:19:33 kid1| storeLateRelease: released 0
> objects____
> >
> > __ __
> >
> > Accesslog:____
> >
> > __ __
> >
> > 1535030545.214 0 10.84.77.52 TAG_NONE/503 382 GET
> > https://habr.com/ - ORIGINAL_DST/178.248.237.68
> > <http://178.248.237.68> text/html____
> >
> > 1535030545.442 608 10.84.77.52 TAG_NONE/200 0 CONNECT
> > 52.4.157.193:443 <http://52.4.157.193:443> -
> > ORIGINAL_DST/52.4.157.193 <http://52.4.157.193> -____
> >
> > 1535030545.442 617 10.84.77.52 TAG_NONE/200 0 CONNECT
> > 52.204.140.44:443 <http://52.204.140.44:443> -
> > ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
> >
> > 1535030545.717 422 10.84.77.52 TAG_NONE/200 0 CONNECT
> > 52.204.140.44:443 <http://52.204.140.44:443> -
> > ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
> >
> > 1535030545.879 36 10.84.77.52 TCP_MISS/204 415 POST
> > https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94
> > <http://64.233.162.94> text/html____
> >
> > 1535030546.522 77 10.84.77.52 TAG_NONE/200 0 CONNECT
> > 178.248.237.68:443 <http://178.248.237.68:443> -
> > ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
> >
> > 1535030546.623 95 10.84.77.52 TAG_NONE/200 0 CONNECT
> > 178.248.237.68:443 <http://178.248.237.68:443> -
> > ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
> >
> > 1535030546.625 0 10.84.77.52 TAG_NONE/503 382 GET
> > https://habr.com/ - ORIGINAL_DST/178.248.237.68
> > <http://178.248.237.68> text/html____
> >
> > __ __
> >
> > Уведомление о конфиденциальности: это электронное сообщение и
> > любые документы, приложенные к нему, могут содержать
> > конфиденциальную информацию. Настоящим уведомляем Вас о том, что
> > если это сообщение не предназначено Вам, использование,
> > копирование или распространение информации, содержащейся в
> > настоящем сообщении, а также осуществление любых действий на
> > основе этой информации строго запрещено. Если Вы получили это
> > сообщение по ошибке, пожалуйста, сообщите об этом отправителю по
> > электронной почте и удалите это сообщение. Confidentiality
> > notice: This e-mail transmission and any attachments included
> > may contain confidential information. If you are not the
> > intended recipient, you are hereby notified that any disclosure,
> > copying, distribution, or reliance upon the content of this
> > e-mail is strictly prohibited. If you have received this e-mail
> > transmission in error, please notify sender by e-mail and then
> > delete this message from your inbox. ____
> >
> > Уведомление о конфиденциальности: это электронное сообщение и любые
> > документы, приложенные к нему, могут содержать конфиденциальную
> > информацию. Настоящим уведомляем Вас о том, что если это сообщение
> > не предназначено Вам, использование, копирование или распространение
> > информации, содержащейся в настоящем сообщении, а также
> > осуществление любых действий на основе этой информации строго
> > запрещено. Если Вы получили это сообщение по ошибке, пожалуйста,
> > сообщите об этом отправителю по электронной почте и удалите это
> > сообщение. Confidentiality notice: This e-mail transmission and any
> > attachments included may contain confidential information. If you
> > are not the intended recipient, you are hereby notified that any
> > disclosure, copying, distribution, or reliance upon the content of
> > this e-mail is strictly prohibited. If you have received this e-mail
> > transmission in error, please notify sender by e-mail and then
> > delete this message from your inbox.
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> >
> > --
> > Atenciosamente,
> > Rodrigo da Silva Cunha
> > São Gonçalo, RJ - Brasil
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180823/24dbac98/attachment-0001.html>
More information about the squid-users
mailing list