[squid-users] squid-users Digest, Vol 58, Issue 31

Mike Golf mjguiao at gmail.com
Mon Jul 1 02:04:07 UTC 2019 

I'm looking for help modifying the stock squid config file, within the
GUI I can bypass the proxy completely (HTTP + HTTPS) for certain LAN
IP's; however this will also stop them from accessing the cached HTTP
data. I don't want this rather I want the IP addresses in the range of
192.168.1.2 - 192.168.1.200 to be excluded from HTTPS caching but
still being able to access/cache with the HTTP proxy. I don't know how
to modify the standard configuration files to allow this, PFSense will
bypass(HTTP + HTTPS) any IP I add to "Bypass Proxy for These Source
IPs".

I specified these IP's as DHCP just for a bit of context since my
personal devices 192.168.1.200-192.168.1.254 are statically assigned
devices which I was going to deploy the CA's on, I wanted to avoid
having to deploy CA's to every single device which makes up my DHCP
range. It won't be fun having to install CA's on someones device every
time a guest asks me for my WiFi password. Regarding SSL I made a
mistake on this I just offhandedly generalized all HTTPS stuff as
"SSL" since I'm just used to people saying TLS/SSL when they refer to
HTTPS.

I'm running the HTTP proxy in transparent mode and I've included the
current configuration I'm using for reference, could you walk me
through how I would go about modifying the configuration file. I'm not
to familiar with squid terminology so could you please explain it to
me like I'm 5 (ELI5). I don't know how to structure the directives and
ACL's to allow this since the GUI menu uses a a "blanket"
configuration for whatever you input, I need help with specifying the
custom options.



# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
digest_generation off
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin at localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
forwarded_for delete
via off
httpd_suppress_version_string on
uri_whitespace strip


cache_mem 2048 MB
maximum_object_size_in_memory 20480 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 256 MB
cache_dir aufs /var/squid/cache 36864 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128
3129 1025-65535
acl sslports port 443 563

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings


# Custom options before auth


# Setup allowed ACLs
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc


> Send squid-users mailing list submissions to
>  squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>  http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>  squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>  squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>  1. Re: Bypassing SSL Man In the Middle Filtering For Certain LAN
>  IP's (Amos Jeffries)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 30 Jun 2019 18:36:19 +1200
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Bypassing SSL Man In the Middle Filtering
>  For Certain LAN IP's
> Message-ID: <6e721121-1569-4b6c-21f0-6429d763c5ae at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 30/06/19 2:32 pm, Mike Golf wrote:
> > Hi All,
> >
> > I've setup a squid proxy server on my PFSense router, is there any way
> > of bypassing HTTPS/SSL filtering for certain LAN IP's.
>
> HTTPS is not normally filtered at all. So for that to be happening
> something must be forcing it - all you have to do is *not* force the
> filtering or MITM to happen.
>
> * remove any rules in your NAT or routes directing port 443 to the proxy.
>
> * remove any https_port in the proxy for receiving that intercepted traffic
>
> * remove any SSL-Bump config for handling intercepted port 443 traffic
> or decrypting CONNECT tunnels.
>
> With that all done you will at most be left with clients using the proxy
> in forward-proxy capacity to open CONNECT tunnels.
>
>
> > I have IP
> > addresses 192.168.1.0-192.168.1.200 allocated through DHCP and I want
> > these devices to bypass SSL interception but not the standard HTTP proxy.
>
> Consider how are those clients using the proxy in the first place? Their
> method of IP assignment has nothing to do with it.
>
>
> >
> > Since most modern sites use HTTPS by default HTTP caching isn't that
> > effective anymore,
>
> That is a deceptive statement, more false than most think. But
> irrelevant since what you are wanting will prevent HTTPS caching entirely.
>
>
> > however I want my personal devices to use the SSL
> > proxy
>
> Note that SSL protocols both v2 and v3 are obsolete.
>
> Are you asking for:
>  a) a TLS explicit proxy, or
>  b) a TLS interception proxy, or
>  c) a forward-proxy for relaying HTTPS ?
>
>
> >so I can get the fastest possible browsing experience without
> > having to install certificate authorities on my guests devices which use
> > the DHCP range.
> >
>
> A proxy is not going to do anything in regards to speed for those clients.
>
> The only way which you can improve speed with a proxy is by caching of
> HTTPS content - by avoiding all the re-encrypt delays on every request
> that can be made a HIT. But that requires those cert installations you
> are trying to avoid.
>
>
> Amos
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 58, Issue 31
> *******************************************
>

More information about the squid-users mailing list