[squid-users] Help with HTTPS SQUID 3.1.23

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 27 10:59:49 UTC 2019 

On 27/06/19 1:29 am, Anderson Rosario wrote:
> I can not access to HTTPS sites, 3 weeks ago was working fine, without
> doing any change in the topology update or config stopped and it is not
> working with HTTPS sites. it keeps loading and I recieve a message from
> navegators The connection to the server was reset while the page was
> loading.
> 

Your Squid is not doing anything with HTTPS at all. It lets CONNECT
tunnels through - provided the server name meets your required ACLs.

It may be related to Browser changes in how they handle non-200
responses to CONNECT since your access controls all require a login to
take place.


> *here my squid config:*
> 
> #
> visible_hostname proxy.local.local

Really .local.local ?


...> http_port 3128
> 
> ######### AD AUTH ###########
> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
> "dc=local,dc=LOCAL" -D "cn=squid,ou=proxy,dc=local,dc=LOCAL" -w "123456"
> -f sAMAccountName=%s -h 192.168.0.213
> 
> auth_param basic children 5
> auth_param basic realm Inserte su usuario de Windows para navegar
> auth_param basic credentialsttl 1 hour
> 
> external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R
> -b "dc=local,dc=LOCAL" -D "cn=squid,ou=proxy,dc=local,dc=LOCAL" -w
> "123456" -f "(&(objectclass=person)
> (sAMAccountName=%v)(memberof=cn=%a,ou=proxy,dc=local,dc=LOCAL))" -h
> 192.168.0.213
> ##############################
> 
> ###### ALCs que definen los grupos ######
> acl nivel0 external ldap_group nivel0
> acl nivel1 external ldap_group nivel1
> acl nivel2 external ldap_group nivel2
> acl nivel3 external ldap_group nivel3
> acl nivel4 external ldap_group nivel4
> acl nivel5 external ldap_group nivel5
> acl nivel6 external ldap_group nivel6
> 
> #########################################
> 
...
> #########################
> 
> ###### Reglas de acceso ######
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> 
> #
> http_access allow nivel6
> http_access allow nivel5
> http_access allow nivel4
> http_access allow nivel3 !rule3 !desc3 !rule7 !desc7
> http_access allow nivel2 !rule2 !desc2 !rule7 !desc7
> http_access deny nivel1 !rule1
> http_access allow nivel1 !desc1 !rule7 !desc7
> http_access deny nivel0
> http_access deny all
> ##############################
> 
> 

Due to the "deny all" being above the http_access lines below do anything.

What this means is that external parties *are* allowed to access the
proxy management reports and potentially private info about other clients.

 ... not only is the below recommended *minimum* config. It is supposed
to be listed early like the Safe_ports and SSL_ports rules in order to
protect your network from attacks.


> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 

HTH
Amos

More information about the squid-users mailing list