[squid-users] Cache cellphone

Amos Jeffries squid3 at treenet.co.nz
Sun May 19 04:47:05 UTC 2019 

On 19/05/19 3:47 pm, Ebed wrote:
> I'm trying to setup squid for my wifi which mainly for cell phones and
> tv box with ssl-bump for the sake of bandwidth saving and my kids
> protection. Is it posible for squid to directly inject root CA as per
> request by applications?


No. If the clients do not trust your root CA there is nothing Squid can
do to make them. TLS is designed to prevent that type of trivial attack.

Your ssl_bump config looks a bit suspicious though. Doing peek at step2
should prevent bump from being possible at step3. You might have better
behaviour by swapping the peek and stare order. To be "peek step1" then
"stare step2".


> As i found hardly to setup my root ca to
> cellphone apps. I had tried install using user credentiall setup but its
> still failed and impossible for me to reflash the android os just to
> install the CA cert into the trusted credentialls table. I had try
> ssl_bump option combination with no luck, peek and bump produce alot of
> handshake errors. Here's my squid.conf, just guide me to the right way.
> 

Look at what those errors are saying. That should lead you towards
fixing them.



Also, what version of Squid are you using? there seem to be a jumbled
mix of old and new settings in this config file.

...

> https_port 10.0.1.2:3127 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem
> 
> #############################################################
> # tproxy setting
> # ausearch -c 'squid' --raw | audit2allow -M my-squid
> # semodule -i my-squid.pp
...
> http_port 10.0.1.2:3128 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem
> 
...
> cache_dir aufs /var/spool/squid 5000 100 256
> 
...
> cache_mem 8 MB
> maximum_object_size_in_memory 32 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> maximum_object_size 128000 KB
> cache_swap_low 95
> cache_swap_high 99
> strip_query_terms off
> 
...
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> 
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/myca.pem
...
> sslproxy_cafile /etc/squid/ssl_cert/myca.pem
> sslproxy_cipher EECDH+ECDSA+AESGCM:E$
> 

NP: the missing part of the above cipher setting may give clues to some
of those handshake errors. Squid will have problems connecting to any
server which requires a cipher not in that list.


...
> 
> ssl_bump stare step1
> ssl_bump peek step2
> ssl_bump bump step3
> 
...
> 
> acl ARCHIEVES url_regex -i
> \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)*

This regex pattern matches every URL that contains a "." _anywhere_ in
the URL. For example any URL which has a domain name.
The 3-letter part is optional (due to "*" suffix).


...
> 
> cache allow ARCHIEVES

ARCHIEVES will always match. So the following "cache" rules are pointless.

...
> 
> request_header_access From deny all
> request_header_access Server deny all

Server is a reply header. This line does nothing.

> request_header_access WWW-Authenticate deny all
> request_header_access Link deny all
> request_header_access Cache-Control deny all
> request_header_access Proxy-Connection deny all
> request_header_access X-Cache deny all
> request_header_access X-Cache-Lookup deny all
> request_header_access Via deny all

You are using "via off" setting. Which makes the above rule pointless.

> request_header_access X-Forwarded-For deny all

Use "forwarded_for delete" instead of the above line and "forwarded_for
off" you have later.

> request_header_access Pragma deny all
> request_header_access Keep-Alive deny all
> 

NP: Pragma, WWW_Authenticate, Cache-Control and Link will do nothing
useful and actively break HTTP going through this proxy. You had best
remove those lines.

The Proxy-Connection and Keep-Alive headers are hop-by-hop and
deprecated in HTTP/1.1. Which means any current Squid *always* removes
them. You do not need rules to make that happen.



> refresh_pattern ^ftp:       1440    20% 10080
> refresh_pattern ^gopher:    1440    0%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern (Release|Packages(.gz)*)*      0       20%     2880

The above is equivalent to:

   refresh_pattern . 0 20% 2880

Which means the following regex rules are pointless.


...
> via off
> forwarded_for off
> 
> logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm %ru
> %un %Sh/%<A %mt
> access_log daemon:/var/log/squid/access.log logaccess
> 


Amos

More information about the squid-users mailing list