<div dir="ltr">Hi again..<div><br></div><div>now work ok the compilation.. but have issues with the https sites.</div><div><br></div><div>squid start ok... but can't see the sites with https on the browser... i make the certificate ... and put myCA.der on windows client</div><div><br></div><div>i test it with:</div><div>1- ssl-bump server-first all<br></div><div>2- ssl-bump client-first all</div><div><br></div><div>testing acl with and without...</div><div><span style="font-family:monospace">acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH </span><br style="font-family:monospace"><span style="font-family:monospace">sslproxy_cert_error allow TrustedName </span><br style="font-family:monospace"><span style="font-family:monospace">sslproxy_cert_error allow BadSite </span><br style="font-family:monospace"><span style="font-family:monospace">sslproxy_cert_error deny all </span><br></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">and nothing can't see https sites like <a href="http://mail.yahoo.com">mail.yahoo.com</a> or <a href="http://facebook.com">facebook.com</a> </span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">the browser continue put out </span></div><div>ERROR SSL CONNECTION</div><div>ERR_SSL_PROTOCOL</div><div><br></div><div>i rebuild again many times /var/spool/squid_ssldb</div><div><br></div><div>and the logs continue saying...</div><div><br></div><div>
<div>
<span style="font-family:monospace"><span style="color:rgb(0,0,0)">1432201755.569 0 172.16.1.20 TAG_NONE/400 3640 Z%19%98%A50%D7%AD%19%AB%1E - HIER_NONE/- text/html
</span><br>1432201756.077 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.078 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.085 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.090 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.094 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.381 1 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.383 1 172.16.1.20 TAG_NONE/400 3616 v%C9%F0O%C9%E6%BB%A1%D2 - HIER_NONE/- text/html
<br>1432201756.391 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.395 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.399 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.662 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.663 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.670 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html
<br>1432201756.675 0 172.16.1.20 TAG_NONE/400 3672 %05%D5%846S/%60%E5&e@%60%D5=%CA%27%E5%E7 - HIER_NONE/- text/html
<br>1432201756.680 0 172.16.1.20 TAG_NONE/400 4056 NONE error:invalid-request - HIER_NONE/- text/html<br></span></div></div><div><span style="font-family:monospace"><br></span></div><div>here is my config</div><div>----------------------------------</div><div>
<div>
<span style="font-family:monospace"><span style="color:rgb(0,0,0)"># squid3 -k parse
</span><br>2015/05/21 05:42:10| Startup: Initializing Authentication Schemes ...
<br>2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'basic'
<br>2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'digest'
<br>2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'negotiate'
<br>2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'ntlm'
<br>2015/05/21 05:42:10| Startup: Initialized Authentication.
<br>2015/05/21 05:42:10| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
<br>2015/05/21 05:42:10| Processing: http_port <a href="http://172.16.1.10:3128">172.16.1.10:3128</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/myCA.pem
<br>2015/05/21 05:42:10| Starting Authentication on port <a href="http://172.16.1.10:3128">172.16.1.10:3128</a>
<br>2015/05/21 05:42:10| Disabling Authentication on port <a href="http://172.16.1.10:3128">172.16.1.10:3128</a> (interception enabled)
<br>2015/05/21 05:42:10| Processing: hostname_aliases debian-template.ctimegroup.local
<br>2015/05/21 05:42:10| Processing: visible_hostname debian-template
<br>2015/05/21 05:42:10| Processing: hierarchy_stoplist cgi-bin ?
<br>2015/05/21 05:42:10| Processing: acl QUERY urlpath_regex cgi-bin \?
<br>2015/05/21 05:42:10| Processing: no_cache deny QUERY
<br>2015/05/21 05:42:10| Processing: cache_mem 1024 MB
<br>2015/05/21 05:42:10| Processing: cache_replacement_policy heap LFUDA
<br>2015/05/21 05:42:10| Processing: cache_dir aufs /var/spool/squid3 4096 16 256
<br>2015/05/21 05:42:10| Processing: cache_log /var/log/squid3/cache.log
<br>2015/05/21 05:42:10| Processing: cache_store_log none
<br>2015/05/21 05:42:10| Processing: cache_effective_user proxy
<br>2015/05/21 05:42:10| Processing: cache_effective_group proxy
<br>2015/05/21 05:42:10| Processing: maximum_object_size 1024 KB
<br>2015/05/21 05:42:10| Processing: prefer_direct on
<br>2015/05/21 05:42:10| Processing: ftp_user <a href="mailto:anonymous@proxy.sld.cu">anonymous@proxy.sld.cu</a>
<br>2015/05/21 05:42:10| Processing: negative_ttl 5 minutes
<br>2015/05/21 05:42:10| Processing: positive_dns_ttl 6 hours
<br>2015/05/21 05:42:10| Processing: negative_dns_ttl 5 minutes
<br>2015/05/21 05:42:10| Processing: coredump_dir /var/spool/squid3
<br>2015/05/21 05:42:10| Processing: shutdown_lifetime 3 seconds
<br>2015/05/21 05:42:10| Processing: logfile_rotate 10
<br>2015/05/21 05:42:10| Processing: access_log /var/log/squid3/access.log squid
<br>2015/05/21 05:42:10| Processing: half_closed_clients off
<br>2015/05/21 05:42:10| Processing: strip_query_terms on
<br>2015/05/21 05:42:10| Processing: refresh_pattern ^ftp: 1440 20% 10080
<br>2015/05/21 05:42:10| Processing: refresh_pattern ^gopher: 1440 0% 1440
<br>2015/05/21 05:42:10| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
<br>2015/05/21 05:42:10| Processing: refresh_pattern . 0 20% 4320
<br>2015/05/21 05:42:10| Processing: refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
<br>2015/05/21 05:42:10| Processing: acl SSL_ports port 443 8443 12048 2083
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 440-442 # http
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 443
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 80 # http
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 21 # ftp
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 443 # https, snews
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 1025-8081 # unregistered ports
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 8082-9999 # unregistered ports
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 10001-65535 # unregistered ports
<br>2015/05/21 05:42:10| Processing: acl Safe_ports port 280 # http-mgmt
<br>2015/05/21 05:42:10| Processing: acl CONNECT method CONNECT
<br>2015/05/21 05:42:10| Processing: acl localhost src 192.168.207.51 172.16.1.10
<br>2015/05/21 05:42:10| Processing: http_access allow localhost </span></div><div>
<div>
<span style="font-family:monospace"><span style="color:rgb(0,0,0)">2015/05/21 05:45:51| Processing: ssl_bump server-first all</span><br></span></div><span style="font-family:monospace">2015/05/21 05:42:10| Processing: sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
<br>2015/05/21 05:42:10| Processing: sslcrtd_children 50 startup=1 idle=1
<br>2015/05/21 05:42:10| Processing: acl TrustedName url_regex ^<a href="https://www.facebook.com">https://www.facebook.com</a>
<br>2015/05/21 05:42:10| Processing: acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
<br>2015/05/21 05:42:10| Processing: sslproxy_cert_error allow TrustedName
<br>2015/05/21 05:42:10| Processing: sslproxy_cert_error allow BadSite
<br>2015/05/21 05:42:10| Processing: sslproxy_cert_error deny all
<br>2015/05/21 05:42:10| Processing: acl network src <a href="http://172.16.1.0/24">172.16.1.0/24</a> <a href="http://192.168.207.0/24">192.168.207.0/24</a>
<br>2015/05/21 05:42:10| Processing: http_access allow network
<br>2015/05/21 05:42:10| Processing: acl purge method PURGE
<br>2015/05/21 05:42:10| Processing: http_access deny !Safe_ports
<br>2015/05/21 05:42:10| Processing: http_access deny CONNECT !SSL_ports
<br>2015/05/21 05:42:10| Processing: http_access deny all
<br>2015/05/21 05:42:10| Processing: always_direct allow all
<br>2015/05/21 05:42:10| Processing: forward_max_tries 25
<br>2015/05/21 05:42:10| Processing: never_direct allow all
<br>2015/05/21 05:42:10| Processing: max_filedesc 16384
<br>2015/05/21 05:42:10| Processing: dns_nameservers 8.8.8.8
<br>2015/05/21 05:42:10| Processing: dns_nameservers 8.8.4.4
<br>2015/05/21 05:42:10| Processing: positive_dns_ttl 8 hours
<br>2015/05/21 05:42:10| Processing: negative_dns_ttl 30 seconds
<br>2015/05/21 05:42:10| Initializing https proxy context
<br>2015/05/21 05:42:10| Initializing http_port <a href="http://172.16.1.10:3128">172.16.1.10:3128</a> SSL context
<br>2015/05/21 05:42:10| Using certificate in /etc/squid3/ssl/myCA.pem<br>
<br></span></div><div>any idea?</div><div><br></div><div>thanxs</div>-- <br><div class="gmail_signature"><div dir="ltr"><div><font color="#888888"><font color="#888888">Antonio Pe</font><span><font color="#888888">ñ</font></span><font color="#888888">a</font><span></span><br><font color="#888888">Secure email with PGP 0x8B021001 available at <a href="https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on" target="_blank">https://pgp.mit.edu</a><br></font></font><font color="#888888">
<font color="#888888">Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001</font></font></div></div></div>
</div></div>