[squid-users] Squid 4 and on_unsupported_protocol

Vieri rentorbuy at yahoo.com
Tue Jun 30 08:57:11 UTC 2020



 On Tuesday, June 30, 2020, 8:50:09 AM GMT+2, Eliezer Croitoru <ngtech1ltd at gmail.com> wrote: 

>
> I can try to re-produce this setup locally to make sure that it works as described in the docs.

Thanks!

> So couple details:
>   * PC Windows(What OS?) client with firefox

Windows 10, Windows 7
Firefox ESR 68.5.0
 
>    * Are you Intercepting the traffic or using Squid as a simple forward proxy defined in the browser or OS proxy settings?

Intercepting with TPROXY.

> Can you share a basic squid.conf (cleaned of personal details) to make sure where and how these rules should be applied?
 
Here it goes (client traffic is intercepted/bumped):

squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 901        # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.include
include /etc/squid/squid.include.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320


squid.include:

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA
tls_outgoing_options flags=DONT_VERIFY_PEER
sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
cache_dir diskd /var/cache/squid 32 16 256

squid.include.common:

cache_mgr admin at domain.org
email_err_data on
error_directory /usr/share/squid/errors/custom
client_lifetime 480 minutes


squid.include.hide:

httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for transparent


squid.include.rules:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/fwprox.domain.org at DOMAIN.ORG
auth_param negotiate children 60
auth_param negotiate keep_alive on
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl ORG_all proxy_auth REQUIRED
external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv
acl privileged_src_ips src "/SAMBA/proxy-settings/allowed.ips"
acl privileged_extra1_src_ips src "/SAMBA/proxy-settings/allowed.extra1.ips"
acl privileged_user_groups external nt_group "/SAMBA/proxy-settings/allowed.groups"
acl direct_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.direct"
acl good_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.domains"
acl good_dst_domains_with_any_filetype dstdomain "/SAMBA/proxy-settings/allowed.domains.filetypes"
acl good_dst_domains_with_any_mimetype dstdomain "/SAMBA/proxy-settings/allowed.domains.mimetypes"
acl good_urls_any_useragent url_regex "/SAMBA/proxy-settings/allowed.useragents.urls"
acl good_urls url_regex "/SAMBA/proxy-settings/allowed.urls"
acl bad_dst_domains dstdomain "/SAMBA/proxy-settings/denied.domains"
acl bad_dst_ccn_domains dstdomain "/SAMBA/proxy-settings/denied.ccn.domains"
acl bad_dst_ccn_ips dst "/SAMBA/proxy-settings/denied.ccn.ips"
acl limited_dst_domains_1 dstdomain "/SAMBA/proxy-settings/denied.extra1.domains"
acl bad_ads url_regex "/SAMBA/proxy-settings/denied.ads"
acl bad_filetypes urlpath_regex -i "/SAMBA/proxy-settings/denied.filetypes"
acl bad_requested_mimetypes req_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl bad_replied_mimetypes rep_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl restricted_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_good_dst_domains_1 dstdomain "/SAMBA/proxy-settings/allowed.restricted1.domains"
acl restricted_src_ips_1 dst "/SAMBA/proxy-settings/allowed.restricted1.ips"
acl explicit_only_src_ips src "/SAMBA/proxy-settings/restricted.ips"
acl explicit_only_user_groups external nt_group "/SAMBA/proxy-settings/restricted.groups"
acl explicit_only_dst_domains dstdomain "/SAMBA/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl bad_urlshorteners dstdomain "/etc/squidGuard/db/HMANshallalist/urlshortener/domains"
acl redirected_domains_1 dstdomain .some.domain.com .some.other.domain.com
acl redirected_domains_2 dstdomain anotherdomain.com
acl redirected_urls_1 url_regex ^https://domain.com/path/
acl good_useragents req_header User-Agent Firefox/
acl good_useragents req_header User-Agent Edge/
acl good_useragents req_header User-Agent Microsoft-CryptoAPI/
acl src_ips_with_any_useragent src "/SAMBA/proxy-settings/allowed.useragents.ips"
acl dst_domains_with_any_useragent dstdomain "/SAMBA/proxy-settings/allowed.useragents.domains"
acl dst_ips_with_any_useragent dst "/SAMBA/proxy-settings/allowed.useragents.dst.ips"
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
http_access allow CONNECT interceptedssl SSL_ports
http_access deny !good_useragents !src_ips_with_any_useragent !dst_domains_with_any_useragent !dst_ips_with_any_useragent !good_urls_any_useragent
deny_info http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents good_useragents
deny_info http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents src_ips_with_any_useragent
deny_info http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_domains_with_any_useragent
deny_info http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_ips_with_any_useragent
http_access allow localnet !explicit_only_src_ips good_dst_domains
http_access allow localnet !explicit_only_src_ips good_urls
http_access allow localnet !explicit_only_src_ips good_urls_any_useragent
http_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips good_dst_domains
http_reply_access allow localnet !explicit_only_src_ips good_urls
http_access allow explicit_only_src_ips explicit_only_dst_domains
http_access deny explicit_only_src_ips
http_access deny redirected_domains_1
deny_info 302:http://some.domain.com redirected_domains_1
http_access deny redirected_domains_2
deny_info 302:https://anotherdomain.com redirected_domains_2
http_access deny redirected_urls_1
deny_info 302:http://some.domain.com redirected_urls_1
http_access deny !privileged_src_ips bad_urlshorteners
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners bad_urlshorteners
http_access allow restricted_requested_mimetypes_1 restricted_good_dst_domains_1
http_access allow restricted_requested_mimetypes_1 restricted_src_ips_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_good_dst_domains_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_src_ips_1
http_access allow limited_requested_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_reply_access allow limited_replied_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_access deny restricted_requested_mimetypes_1
http_reply_access deny restricted_replied_mimetypes_1
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_replied_mimetypes_1
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_requested_mimetypes_1
http_access deny limited_requested_mimetypes_1
http_reply_access deny limited_replied_mimetypes_1
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_requested_mimetypes_1
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_replied_mimetypes_1
http_access deny !privileged_src_ips bad_dst_domains
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains bad_dst_domains
http_access deny bad_dst_ccn_domains
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_domains
http_access deny bad_dst_ccn_ips
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_ips
http_access allow privileged_extra1_src_ips limited_dst_domains_1
http_access deny limited_dst_domains_1
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1 limited_dst_domains_1
http_access deny bad_filetypes !good_dst_domains_with_any_filetype
http_reply_access deny bad_filetypes !good_dst_domains_with_any_filetype
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes bad_filetypes
http_access deny bad_requested_mimetypes !good_dst_domains_with_any_mimetype
http_reply_access deny bad_replied_mimetypes !good_dst_domains_with_any_mimetype
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_requested_mimetypes
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_replied_mimetypes
http_access allow localnet bl_lookup
deny_info http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains_bl all
debug_options rotate=1 ALL,1
append_domain .domain.org
reply_header_access Alternate-Protocol deny all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/SAMBA/proxy-settings/allowed.direct"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
include /etc/squid/squid.include.common
include /etc/squid/squid.include.hide
cache_mem 32 MB
max_filedescriptors 65536
icap_service_failure_limit -1
icap_persistent_connections off


Regards,

Vieri


More information about the squid-users mailing list