<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"ITC Galliard Std";}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1644115034;
mso-list-type:hybrid;
mso-list-template-ids:1707761424 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">I didn’t really get an answer previously so I did some research and now I’m not quite sure what to do.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Problem is I’m getting a lot of these:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">The following error was encountered while trying to retrieve the URL:</span><span class="apple-converted-space"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E"> </span></span><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E"><a href="https://%2A.agentimediaservices.com/*">https://*.agentimediaservices.com/*</a><o:p></o:p></span></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<b><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">Failed to establish a secure connection to 63.240.52.151</span></b><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">The system returned:<o:p></o:p></span></p>
<pre style="margin-left:.5in"><span style="font-family:"Arial",sans-serif;color:#1E1E1E">(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)<o:p></o:p></span></pre>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt">
<span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA<o:p></o:p></span></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;orphans: auto;text-align:start;widows: 1;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections,
or the proxy is not satisfied with the host security credentials.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;orphans: auto;text-align:start;widows: 1;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E">Your cache administrator is</span><span class="apple-converted-space"><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E"> </span></span><span style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1E1E1E"><a href="mailto:webmaster?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL&body=CacheHost%3A%20LNP-Proxy%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20(71)%20Protocol%20error%0D%0ATimeStamp%3A%20Thu,%2028%20Apr%202016%2016%3A37%3A14%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.203.24%0D%0AServerIP%3A%2063.240.52.151%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%2063.240.52.151%3A443%0D%0A%0D%0A%0D%0A">webmaster</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As I had stated some are “fixable” by adding the url to my broken acl and then not peeking at it. That sometimes works, most of the time not and then I have to add the ip listed to an acl of allowed ips. This usually works but not in
all cases. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That leaves me sort of stuck. I’ve been having to actually remove folks from the proxy so they could work. I work for a newspaper and most of the issues lie with the myriad of SEO/Marketing sites/tools these people use. They’re horrible.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">That leads me to my question of will using that flag make this issue go away? Granted Im aware it’s not the safest I can’t deny users access to the sites they need.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m running 3.5.16 compiled from source on debian Jessie. Fully updated. I’m also confused as to why this is happening. My ca store is up to date. I’m confused as to why this is happening. If I can access all these sites fine without
the proxy I’d have to think it’s not the cert itself. So it’s either debians cert store or something else. I’m sort of at the end of my knowledge here as to what to troubleshoot.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The other option, though it would be last resort would be to just stop doing anything with https, though all I really wanted was to keep stats on sites visited.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is some openssl info. This leads me to believe its not a squid issue persay, its an openssl issue and or debian issue with certs. But I’m not 100% on that.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">bruce@LNP-Proxy:/etc/squid3$ sudo openssl s_client -connect www.agentimediaservices.com:443 -showcerts<o:p></o:p></p>
<p class="MsoNormal">CONNECTED(00000003)<o:p></o:p></p>
<p class="MsoNormal">depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com<o:p></o:p></p>
<p class="MsoNormal">verify error:num=20:unable to get local issuer certificate<o:p></o:p></p>
<p class="MsoNormal">verify return:1<o:p></o:p></p>
<p class="MsoNormal">depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com<o:p></o:p></p>
<p class="MsoNormal">verify error:num=27:certificate not trusted<o:p></o:p></p>
<p class="MsoNormal">verify return:1<o:p></o:p></p>
<p class="MsoNormal">depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com<o:p></o:p></p>
<p class="MsoNormal">verify error:num=21:unable to verify the first certificate<o:p></o:p></p>
<p class="MsoNormal">verify return:1<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal">Certificate chain<o:p></o:p></p>
<p class="MsoNormal">0 s:/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com<o:p></o:p></p>
<p class="MsoNormal"> i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA<o:p></o:p></p>
<p class="MsoNormal">-----BEGIN CERTIFICATE-----<o:p></o:p></p>
<p class="MsoNormal">MIIF+zCCBOOgAwIBAgIRAMmCjqA+AnLRGj9AxsuZpfMwDQYJKoZIhvcNAQELBQAw<o:p></o:p></p>
<p class="MsoNormal">gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO<o:p></o:p></p>
<p class="MsoNormal">BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD<o:p></o:p></p>
<p class="MsoNormal">VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT<o:p></o:p></p>
<p class="MsoNormal">ZXJ2ZXIgQ0EwHhcNMTUwMTE2MDAwMDAwWhcNMTgwMTE1MjM1OTU5WjCB2jELMAkG<o:p></o:p></p>
<p class="MsoNormal">A1UEBhMCVVMxDjAMBgNVBBETBTEwMDA3MQswCQYDVQQIEwJOWTERMA8GA1UEBxMI<o:p></o:p></p>
<p class="MsoNormal">TmV3IFlvcmsxFTATBgNVBAkTDDE5NSBCcm9hZHdheTEUMBIGA1UEChMLT01EIFVT<o:p></o:p></p>
<p class="MsoNormal">QSBMTEMxCzAJBgNVBAsTAklUMR4wHAYDVQQLExVIb3N0ZWQgYnkgT01EIFVTQSBJ<o:p></o:p></p>
<p class="MsoNormal">TkMxHTAbBgNVBAsTFFBsYXRpbnVtU1NMIFdpbGRjYXJkMSIwIAYDVQQDFBkqLmFn<o:p></o:p></p>
<p class="MsoNormal">ZW50aW1lZGlhc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB<o:p></o:p></p>
<p class="MsoNormal">CgKCAQEA26hgIL5HPDSLX6fySB8fUzbWFHFwEFzPIqt47wdqyNR2moDHrtEJ+ybZ<o:p></o:p></p>
<p class="MsoNormal">v+byrRm4b34Zjfvt7n6caV6pcogiazE1ByIEWdEPN7M6jTU4ZiwMfaIfs0T4uNlc<o:p></o:p></p>
<p class="MsoNormal">9I8PKws8u093JRP5DV1AEm2t8JI69msPaK14x4pE6sDRqRuNaXVtLiMBR5B/jurK<o:p></o:p></p>
<p class="MsoNormal">xOpv365wb3ckoebFNbOo/AHC8abi3PCaVTVFMu1b1QFI9SVrmHVYAsqVwPiyi2YJ<o:p></o:p></p>
<p class="MsoNormal">zkdaHyu51uOmk6kXuVyZT2sfrNyTt9e7UuwqmgqvolncoMyV5MEzR5LZvephPIpM<o:p></o:p></p>
<p class="MsoNormal">bV9HNPcDY0KXOKfeDWPpfeFJxosVzQIDAQABo4IB/DCCAfgwHwYDVR0jBBgwFoAU<o:p></o:p></p>
<p class="MsoNormal">mvMr2s+tT7YvuypISCoStxtCwSQwHQYDVR0OBBYEFIu+BPXh1FoDihdd/D/iMDMv<o:p></o:p></p>
<p class="MsoNormal">bNRhMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG<o:p></o:p></p>
<p class="MsoNormal">AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG<o:p></o:p></p>
<p class="MsoNormal">CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB<o:p></o:p></p>
<p class="MsoNormal">AgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N<o:p></o:p></p>
<p class="MsoNormal">T0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB<o:p></o:p></p>
<p class="MsoNormal">iwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2Nh<o:p></o:p></p>
<p class="MsoNormal">LmNvbS9DT01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVy<o:p></o:p></p>
<p class="MsoNormal">Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wPQYD<o:p></o:p></p>
<p class="MsoNormal">VR0RBDYwNIIZKi5hZ2VudGltZWRpYXNlcnZpY2VzLmNvbYIXYWdlbnRpbWVkaWFz<o:p></o:p></p>
<p class="MsoNormal">ZXJ2aWNlcy5jb20wDQYJKoZIhvcNAQELBQADggEBACDzmWMa2LpUbcDEh1Quz+ak<o:p></o:p></p>
<p class="MsoNormal">4irQoi97D3iD7HHtZRuLSzR5AT11le56GJR9e/0IlFFlxiA+dwn60OmAAi6EX0zb<o:p></o:p></p>
<p class="MsoNormal">7qAJ5Lemm8PtLcdqAydreaK9uYxhF3J1O4/bJHmCJ6P/n6U5MDTNRHYKx4Vo0Dfy<o:p></o:p></p>
<p class="MsoNormal">CepRebqV79BCzRDEBTTL2MOnoFJB5NZciYRcypm4JuKHCDO0XCjkONHIlLLDquKV<o:p></o:p></p>
<p class="MsoNormal">cNDI7Q00Ctlw8MriPpT8MPY1pdfIYkEVNp2AXOPQ/gXMHJ7EwFPGk3pnct3a9Nk1<o:p></o:p></p>
<p class="MsoNormal">XsLTUSSRN5ggOIVk+qDU+PhgKA5U1V6TJEfEt7WA47DY5DtJqVpV/qMoNaGlU8Y=<o:p></o:p></p>
<p class="MsoNormal">-----END CERTIFICATE-----<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal">Server certificate<o:p></o:p></p>
<p class="MsoNormal">subject=/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com<o:p></o:p></p>
<p class="MsoNormal">issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal">No client certificate CA names sent<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal">SSL handshake has read 1678 bytes and written 599 bytes<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal">New, TLSv1/SSLv3, Cipher is RC4-MD5<o:p></o:p></p>
<p class="MsoNormal">Server public key is 2048 bit<o:p></o:p></p>
<p class="MsoNormal">Secure Renegotiation IS supported<o:p></o:p></p>
<p class="MsoNormal">Compression: NONE<o:p></o:p></p>
<p class="MsoNormal">Expansion: NONE<o:p></o:p></p>
<p class="MsoNormal">SSL-Session:<o:p></o:p></p>
<p class="MsoNormal"> Protocol : TLSv1.2<o:p></o:p></p>
<p class="MsoNormal"> Cipher : RC4-MD5<o:p></o:p></p>
<p class="MsoNormal"> Session-ID: 4F9EE34EFA2F6305BBD46D6F367BFDC9F95580A7889D9E1FE91F0F79BA86701F<o:p></o:p></p>
<p class="MsoNormal"> Session-ID-ctx: <o:p></o:p></p>
<p class="MsoNormal"> Master-Key: F741F597EFC3C837CE52546CC455FFFEBC0F18CCBC74CFB4BE7F1AE3C85EEB9065C39AE50CC525A33C5BD6CCF3D2483A<o:p></o:p></p>
<p class="MsoNormal"> Key-Arg : None<o:p></o:p></p>
<p class="MsoNormal"> PSK identity: None<o:p></o:p></p>
<p class="MsoNormal"> PSK identity hint: None<o:p></o:p></p>
<p class="MsoNormal"> SRP username: None<o:p></o:p></p>
<p class="MsoNormal"> Start Time: 1461875411<o:p></o:p></p>
<p class="MsoNormal"> Timeout : 300 (sec)<o:p></o:p></p>
<p class="MsoNormal"> Verify return code: 21 (unable to verify the first certificate)<o:p></o:p></p>
<p class="MsoNormal">---<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Squid.conf:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Access Lists<o:p></o:p></p>
<p class="MsoNormal">acl internal src 192.168.200.0/21<o:p></o:p></p>
<p class="MsoNormal">acl wireless src 192.168.100.0/23<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Ports allowed through Squid<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 80<o:p></o:p></p>
<p class="MsoNormal">acl Safe_ports port 443<o:p></o:p></p>
<p class="MsoNormal">acl SSL_ports port 443<o:p></o:p></p>
<p class="MsoNormal">acl CONNECT method CONNECT<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#acls from blacklist<o:p></o:p></p>
<p class="MsoNormal">acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl"<o:p></o:p></p>
<p class="MsoNormal">acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl"<o:p></o:p></p>
<p class="MsoNormal">acl china dst -n "/etc/squid3/acls/ccd-china.acl"<o:p></o:p></p>
<p class="MsoNormal">acl india dst -n "/etc/squid3/acls/ccd-india.acl"<o:p></o:p></p>
<p class="MsoNormal">acl iran dst -n "/etc/squid3/acls/ccd-iran.acl"<o:p></o:p></p>
<p class="MsoNormal">acl nigeria dst -n "/etc/squid3/acls/ccd-nigeria.acl"<o:p></o:p></p>
<p class="MsoNormal">acl pakistan dst -n "/etc/squid3/acls/ccd-nigeria.acl"<o:p></o:p></p>
<p class="MsoNormal">acl romania dst -n "/etc/squid3/acls/ccd-romania.acl"<o:p></o:p></p>
<p class="MsoNormal">acl russia dst -n "/etc/squid3/acls/ccd-russia.acl"<o:p></o:p></p>
<p class="MsoNormal">acl syria dst -n "/etc/squid3/acls/ccd-syria.acl"<o:p></o:p></p>
<p class="MsoNormal">acl ukraine dst -n "/etc/squid3/acls/ccd-ukraine.acl"<o:p></o:p></p>
<p class="MsoNormal">acl uzbekistan dst -n "/etc/squid3/acls/ccd-uzbekistan.acl"<o:p></o:p></p>
<p class="MsoNormal">acl ips dst -n "/etc/squid3/acls/broken_ips.acl"<o:p></o:p></p>
<p class="MsoNormal">acl blocked dstdomain -i "/etc/squid3/acls/http_blocked.acl"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#allow/deny<o:p></o:p></p>
<p class="MsoNormal">http_access allow allowed<o:p></o:p></p>
<p class="MsoNormal">http_access allow ips<o:p></o:p></p>
<p class="MsoNormal">http_access deny blocked<o:p></o:p></p>
<p class="MsoNormal">http_access deny prime<o:p></o:p></p>
<p class="MsoNormal">http_access deny china<o:p></o:p></p>
<p class="MsoNormal">http_access deny india<o:p></o:p></p>
<p class="MsoNormal">http_access deny iran<o:p></o:p></p>
<p class="MsoNormal">http_access deny nigeria<o:p></o:p></p>
<p class="MsoNormal">http_access deny pakistan<o:p></o:p></p>
<p class="MsoNormal">http_access deny romania<o:p></o:p></p>
<p class="MsoNormal">http_access deny russia<o:p></o:p></p>
<p class="MsoNormal">http_access deny syria<o:p></o:p></p>
<p class="MsoNormal">http_access deny ukraine<o:p></o:p></p>
<p class="MsoNormal">http_access deny uzbekistan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">http_access allow internal<o:p></o:p></p>
<p class="MsoNormal">http_access allow wireless<o:p></o:p></p>
<p class="MsoNormal">http_access deny !Safe_ports<o:p></o:p></p>
<p class="MsoNormal">http_access deny CONNECT !SSL_ports<o:p></o:p></p>
<p class="MsoNormal">http_access deny all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Bumping<o:p></o:p></p>
<p class="MsoNormal">acl step1 at_step SslBump1<o:p></o:p></p>
<p class="MsoNormal">acl step2 at_step SslBump2<o:p></o:p></p>
<p class="MsoNormal">acl step3 at_step SslBump3<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#ssl_bump peek all<o:p></o:p></p>
<p class="MsoNormal">ssl_bump peek !broken_sites<o:p></o:p></p>
<p class="MsoNormal">ssl_bump splice all<o:p></o:p></p>
<p class="MsoNormal">#ssl_bump splice !broken_sites<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">sslproxy_capath /etc/ssl/certs<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">sslcrtd_program /lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB<o:p></o:p></p>
<p class="MsoNormal">sslcrtd_children 32 startup=5 idle=1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#access_log syslog:daemon.info mine<o:p></o:p></p>
<p class="MsoNormal">#access_log daemon:/var/log/squid3/test.log mine<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#intercept<o:p></o:p></p>
<p class="MsoNormal">http_port 3128 intercept<o:p></o:p></p>
<p class="MsoNormal">https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#nameservers<o:p></o:p></p>
<p class="MsoNormal">dns_nameservers 192.168.201.1 8.8.8.8<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#WCCPv2 items<o:p></o:p></p>
<p class="MsoNormal">wccp_version 2<o:p></o:p></p>
<p class="MsoNormal">wccp2_router 192.168.200.73<o:p></o:p></p>
<p class="MsoNormal">wccp2_forwarding_method gre<o:p></o:p></p>
<p class="MsoNormal">wccp2_return_method gre<o:p></o:p></p>
<p class="MsoNormal">wccp2_service standard 0 password=LNP1<o:p></o:p></p>
<p class="MsoNormal">wccp2_service dynamic 70 password=LNP1<o:p></o:p></p>
<p class="MsoNormal">wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Bruce Markey</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> | Network Security Analyst</span><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"ITC Galliard Std";color:#0070C0">S</span><span style="font-size:10.0pt;font-family:"ITC Galliard Std";color:#0070C0">TEINMAN</span><span style="font-family:"ITC Galliard Std";color:#0070C0"> C</span><span style="font-size:10.0pt;font-family:"ITC Galliard Std";color:#0070C0">OMMUNICATIONS</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">717.291.8758 (o)
</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#993366">| </span><u><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#0563C1">bmarkey@steinmancommunications.com</span></u><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">8 West King St</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> | PO Box 1328,</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">
Lancaster, PA 17608-1328<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>