[squid-users] Issues with TLS inspection-2
squid3 at treenet.co.nz
Thu Jan 23 11:04:50 UTC 2020
On 23/01/20 3:11 pm, aashutosh kalyankar wrote:
> From: Amos Jeffrie>
> Secondly, make sure that your tests are accurately emulating how clients
> would "use" the proxy. That means making connections from a test machine
> directly to the Internet and seeing if the routing and NAT delivers the
> traffic to Squid properly.
> I am using a chromebook to test. In the configuration section of the
> wireless network there is an option to add proxy hostname and proxy port
> based on protocols.
> Http proxy : proxy-tls 80
> HTTPS proxy: proxy-tls 443
That is part of your problem. Those are settings for explicit proxy.
With intercept the clients knows nothing about any proxy. They are just
connecting to a web server directly (but *NAT* sends it to Squid instead).
> - Use cache.log to view the traffic coming into the proxy. It will be
> request messages with a prefix line indicating "Client HTTP request".
> Make sure that prefix line says the remote Internet IP address and port
> 80/443 you were testing with.
> - If you want confirm that access.log has a transaction entry for the
> URL you tested with ORIGINAL_DST and the server IP.
> Sample cache.log for a test I did for neverssl.com <http://neverssl.com>
> 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2346)
> parseHttpRequest: HTTP Client local=172.22.22.148:80
> <http://172.22.22.148:80> remote=172.22.22.151:34728
> <http://172.22.22.151:34728> FD 12 flags=33
> 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2347)
> parseHttpRequest: HTTP Client REQUEST:
> GET http://neverssl.com/ HTTP/1.1
> Host: neverssl.com <http://neverssl.com>
> Proxy-Connection: keep-alive
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> ... this is where all your custom http_access rules are supposed to be.
> The Safe_ports and SSL_Ports lines above are DoS and hijack protections.
> IIUC, These are not required to be here so I commented out those lines.
Sorry if I was not clear. They should be the first http_access lines in
your config. Local policy rules follow them. Then the final "deny all"
rule to block anything not allowed by your policy.
More information about the squid-users