<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
<br>
<br>
11.11.15 1:45, Ahmad Alzaeem пишет:<br>
<span style="white-space: pre;">> Hi I don’t have ssl pump<br>
><br>
> <br>
><br>
> All my users user ip:port to have internet<br>
><br>
> <br>
><br>
> <br>
><br>
> I already have ISA windows server and it works with http and
https<br>
><br>
> <br>
><br>
> Im wondering why all complexity needed for peer https <br>
><br>
> !!!<br>
><br>
> <br>
><br>
> <br>
><br>
> Anyway hnere is squid.conf<br>
><br>
> <br>
><br>
> # This file is automatically generated by pfSense<br>
><br>
> # Do not edit manually !<br>
><br>
> <br>
><br>
> http_port 172.23.101.253:3128<br>
><br>
> icp_port 0<br>
><br>
> dns_v4_first on<br>
><br>
> pid_filename /var/run/squid/squid.pid<br>
><br>
> cache_effective_user proxy<br>
><br>
> cache_effective_group proxy<br>
><br>
> error_default_language en<br>
><br>
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons<br>
><br>
> visible_hostname mne<br>
><br>
> cache_mgr <a class="moz-txt-link-abbreviated" href="mailto:azaeem@mne.ps">azaeem@mne.ps</a> <a class="moz-txt-link-rfc2396E" href="mailto:azaeem@mne.ps"><mailto:azaeem@mne.ps></a> <br>
><br>
> access_log /var/squid/logs/access.log<br>
><br>
> cache_log /var/squid/logs/cache.log<br>
><br>
> cache_store_log none<br>
><br>
> netdb_filename /var/squid/logs/netdb.state<br>
><br>
> pinger_enable off<br>
><br>
> pinger_program
/usr/pbi/squid-amd64/local/libexec/squid/pinger<br>
><br>
> <br>
><br>
> logfile_rotate 2<br>
><br>
> debug_options rotate=2<br>
><br>
> shutdown_lifetime 3 seconds<br>
><br>
> # Allow local network(s) on interface(s)<br>
><br>
> acl localnet src 172.23.101.0/24<br>
><br>
> forwarded_for off<br>
><br>
> via off<br>
><br>
> httpd_suppress_version_string on<br>
><br>
> uri_whitespace strip<br>
><br>
> <br>
><br>
> acl dynamic urlpath_regex cgi-bin ?<br>
><br>
> cache deny dynamic</span><br>
It's too much. Do you already have a REFRESH pattern that performs
the same function.<br>
<br>
<span style="white-space: pre;">><br>
> <br>
><br>
> cache_mem 64 MB<br>
><br>
> maximum_object_size_in_memory 256 KB<br>
><br>
> memory_replacement_policy heap GDSF<br>
><br>
> cache_replacement_policy heap LFUDA<br>
><br>
> minimum_object_size 0 KB<br>
><br>
> maximum_object_size 4 MB<br>
><br>
> cache_dir ufs /var/squid/cache 100 16 256<br>
><br>
> offline_mode off<br>
><br>
> cache_swap_low 90<br>
><br>
> cache_swap_high 95<br>
><br>
> cache allow all<br>
><br>
> <br>
><br>
> # Add any of your own refresh_pattern entries above these.<br>
><br>
> refresh_pattern ^ftp: 1440 20% 10080<br>
><br>
> refresh_pattern ^gopher: 1440 0% 1440<br>
><br>
> refresh_pattern -i (/cgi-bin/|?) 0 0% 0<br>
><br>
> refresh_pattern . 0 20% 4320<br>
><br>
> <br>
><br>
> <br>
><br>
> #Remote proxies<br>
><br>
> <br>
><br>
> <br>
><br>
> # Setup some default acls<br>
><br>
> # From 3.2 further configuration cleanups have been done to
make things easier and safer. The manager, localhost, and
to_localhost ACL definitions are now built-in.<br>
><br>
> # acl localhost src 127.0.0.1/32<br>
><br>
> acl allsrc src all<br>
><br>
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777
901 3128 3127 1025-65535 <br>
><br>
> acl sslports port 443 563 <br>
><br>
> <br>
><br>
> # From 3.2 further configuration cleanups have been done to
make things easier and safer. The manager, localhost, and
to_localhost ACL definitions are now built-in.<br>
><br>
> #acl manager proto cache_object<br>
><br>
> <br>
><br>
> acl purge method PURGE<br>
><br>
> acl connect method CONNECT<br>
><br>
> <br>
><br>
> # Define protocols used for redirects<br>
><br>
> acl HTTP proto HTTP<br>
><br>
> acl HTTPS proto HTTPS</span><br>
There is no need to define standard protocols.<br>
<br>
<span style="white-space: pre;">><br>
> http_access allow manager localhost<br>
><br>
> <br>
><br>
> http_access deny manager<br>
><br>
> http_access allow purge localhost<br>
><br>
> http_access deny purge<br>
><br>
> http_access deny !safeports<br>
><br>
> http_access deny CONNECT !sslports<br>
><br>
> <br>
><br>
> # Always allow localhost connections<br>
><br>
> # From 3.2 further configuration cleanups have been done to
make things easier and safer.<br>
><br>
> # The manager, localhost, and to_localhost ACL definitions
are now built-in.<br>
><br>
> # http_access allow localhost<br>
><br>
> <br>
><br>
> request_body_max_size 0 KB<br>
><br>
> <br>
><br>
> <br>
><br>
> <br>
><br>
> <br>
><br>
> delay_access 1 allow allsrc<br>
><br>
> <br>
><br>
> # Reverse Proxy settings<br>
><br>
> <br>
><br>
> <br>
><br>
> # Custom options before auth<br>
><br>
> dns_nameservers 8.8.8.8 10.12.0.33<br>
><br>
> cache_peer 10.12.0.32 parent 80 0 no-query no-digest
no-tproxy proxy-only<br>
><br>
> <br>
><br>
> # Setup allowed acls<br>
><br>
> # Allow local network(s) on interface(s)<br>
><br>
> http_access allow localnet<br>
><br>
> # Default block all to be sure<br>
><br>
> http_access deny allsrc<br>
><br>
></span><br>
Amos complement me on the configuration. But I think that I would
have written a little differently configured.<br>
<br>
<span style="white-space: pre;">><br>
> <br>
><br>
> <br>
><br>
> cheers<br>
><br>
> <br>
><br>
> From: Yuri Voinov [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>] <br>
> Sent: Tuesday, November 10, 2015 9:43 PM<br>
> To: Ahmad Alzaeem<br>
> Cc: <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> Subject: Re: [squid-users] cache peer only forward http , not
https !!!<br>
><br>
> <br>
><br>
><br>
> I think, we need to take a look on your squid.conf first.<br>
><br>
> 10.11.15 23:18, Ahmad Alzaeem пишет:<br>
> > Thank you ,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Can you just guide me for the https peer directive
plz ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > I can take care of https intercept<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > So with http , we have directive cache_peer
10.12.0.32<br>
><br>
> parent 8080 0 no-query no-digest<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > As ok<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Now what about https directive ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Can u help me<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Thanks a lot a lot a lot for your help<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > cheers<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > From: squid-users<br>
><br>
> [<a class="moz-txt-link-freetext" href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>] On
Behalf Of<br>
><br>
> Yuri Voinov<br>
><br>
><br>
><br>
> > Sent: Tuesday, November 10, 2015 8:49 PM<br>
><br>
><br>
><br>
> > To: <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > Subject: Re: [squid-users] cache peer only forward
http , not<br>
><br>
> https !!!<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > 1. You need to configure Squid with SSL Bump to
capture HTTPS<br>
><br>
> traffic.<br>
><br>
><br>
><br>
> > 2. You need to configure forwarded requests with
splice/no<br>
><br>
> bump. :)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > 10.11.15 22:42, Ahmad Alzaeem пишет:<br>
><br>
><br>
><br>
> > > Hi Guys I want proxy and I<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > want it to forward http & https to
remote proxy<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Does the command below enogh ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > cache_peer 10.12.0.32 parent 8080 0
no-query<br>
><br>
> no-digest<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > no-tproxy<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > proxy-only<br>
><br>
><br>
><br>
> > No.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > or I need to add other line for https
??<br>
><br>
><br>
><br>
> > No.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > BTW the command line above work only
for http not<br>
><br>
> for https<br>
><br>
><br>
><br>
> > Sure.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Any help ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > *** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET.
DON'T BLIND<br>
><br>
> COPY-N-PASTE IT IN YOUR ENVIRONMENT! ***<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > # Privoxy+Tor acl<br>
><br>
><br>
><br>
> > acl tor_url dstdom_regex
"C:/Squid/etc/squid/url.tor"<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > # SSL bump rules<br>
><br>
><br>
><br>
> > sslproxy_cert_error allow all<br>
><br>
><br>
><br>
> > acl DiscoverSNIHost at_step SslBump1<br>
><br>
><br>
><br>
> > ssl_bump peek DiscoverSNIHost<br>
><br>
><br>
><br>
> > acl NoSSLIntercept ssl::server_name_regex -i<br>
><br>
> "C:/Squid/etc/squid/url.nobump"<br>
><br>
><br>
><br>
> > acl NoSSLIntercept ssl::server_name_regex -i<br>
><br>
> "C:/Squid/etc/squid/url.tor"<br>
><br>
><br>
><br>
> > ssl_bump splice NoSSLIntercept<br>
><br>
><br>
><br>
> > ssl_bump bump all<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > # Privoxy+Tor access rules<br>
><br>
><br>
><br>
> > never_direct allow tor_url<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > # Local Privoxy is cache parent<br>
><br>
><br>
><br>
> > cache_peer 127.0.0.1 parent 8118 0 no-query
no-digest default<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > cache_peer_access 127.0.0.1 allow tor_url<br>
><br>
><br>
><br>
> > cache_peer_access 127.0.0.1 deny all<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > As you can see, this is just example. The idea
described with<br>
><br>
> first two lines of my answer above.<br>
><br>
><br>
><br>
> > This snippet works for torified sites described in
tor_url<br>
><br>
> acl.<br>
><br>
><br>
><br>
> > NB: I do not guarantee this will work on your
environment!<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > >
_______________________________________________<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > squid-users mailing list<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > >
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJWQmecAAoJENNXIZxhPexGCEwIAIsD1j1VYhtBxOJL3Q09FpCY
<br>
ZE7ZhYhCQxno/wB7E0v0/D12MFLnoFrjf7yVZ9EDzAV4moEw6XCvGZ6S6H+xR4ct
<br>
ceT1cAC8KuhZfsgXTvUAgkKT9Zcud3whcv7ddCflJjQmwlGuROO8dW3ag45KmLmZ
<br>
NpjQ4ySibg8jMOy2x9kRc3hfh8tk6uD6PEU89JN8rbR5tMFh8os/h4u6mJsqEBCO
<br>
OAy+8dhW35k8lADzPcHsMskafQW5U2bslqSMM0IiDnS5JNuZqs896UnLuOPszcCJ
<br>
Lq7U5BJFKhxVyU4S5o1Vxo6YYhFh8ZwoPEWcUZk7Efqs5kTk7Uc2tNsuRomDJs0=
<br>
=vbwg
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>