<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi ,<div class="">i have squid that is working on 3.5 .</div><div class=""><p class="MsoNormal">traffic of t 80 and 443 traffic to Squid via IPTables.</p><p class="MsoNormal">Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.<o:p class=""></o:p></p><p class="MsoNormal">we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept.</p><div class="">current versions we have :</div><div class=""><p class="MsoListParagraphCxSpFirst" style="text-indent: -0.25in;"><span class="" style="font-family: Symbol;">·<span class="" style="font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span>Squid 3.5.19<o:p class=""></o:p></p><p class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;"><span class="" style="font-family: Symbol;">·<span class="" style="font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span>C-ICAP 0.4.2<o:p class=""></o:p></p><p class="MsoListParagraphCxSpMiddle" style="text-indent: -0.25in;"><span class="" style="font-family: Symbol;">·<span class="" style="font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span>SquidclamAV 6.15<o:p class=""></o:p></p><p class="MsoListParagraphCxSpLast" style="text-indent: -0.25in;"><span class="" style="font-family: Symbol;">·<span class="" style="font-size: 7pt; line-height: normal; font-family: 'Times New Roman';"> </span></span>ClamAV 0.99.2<o:p class=""></o:p></p><p class="MsoListParagraphCxSpLast" style="text-indent: -0.25in;">=====================</p><p class="MsoListParagraphCxSpLast" style="text-indent: -0.25in;"><font color="#001e57" class=""> here is squid.conf :</font></p><div class=""><div class=""><font color="#001e57" class=""># Example rule allowing access from your local networks.</font></div><div class=""><font color="#001e57" class=""># Adapt to list your (internal) IP networks from where browsing</font></div><div class=""><font color="#001e57" class=""># should be allowed</font></div><div class=""><font color="#001e57" class="">acl localnet src 10.0.0.0/8<span class="Apple-tab-span" style="white-space: pre;"> </span># RFC1918 possible internal network</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""># Example rule allowing access from your local networks.</font></div><div class=""><font color="#001e57" class=""># Adapt localnet in the ACL section to list your (internal) IP networks</font></div><div class=""><font color="#001e57" class=""># from where browsing should be allowed</font></div><div class=""><font color="#001e57" class="">http_access allow localnet</font></div><div class=""><font color="#001e57" class="">http_access allow localhost</font></div><div class=""><font color="#001e57" class="">http_access allow localhost manager</font></div><div class=""><font color="#001e57" class="">http_access deny manager</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""># Squid normally listens to port 3128</font></div><div class=""><font color="#001e57" class="">http_port 3127</font></div><div class=""><font color="#001e57" class="">http_port 3128 intercept</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">coredump_dir /var/cache/squid</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">visible_hostname test1</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">cache_log /opt/var/log/squid/cache_log</font></div><div class=""><font color="#001e57" class="">cache_access_log /opt/var/log/squid/access_log</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">cache_effective_user squid</font></div><div class=""><font color="#001e57" class="">cache_effective_group squid</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">icap_enable on</font></div><div class=""><font color="#001e57" class="">icap_send_client_ip on</font></div><div class=""><font color="#001e57" class="">icap_service service_req reqmod_precache bypass=1 <a href="icap://127.0.0.1:1344/squidclamav" class="">icap://127.0.0.1:1344/squidclamav</a></font></div><div class=""><font color="#001e57" class="">adaptation_access service_req allow all</font></div><div class=""><font color="#001e57" class="">icap_service service_resp respmod_precache bypass=1 <a href="icap://127.0.0.1:1344/squidclamav" class="">icap://127.0.0.1:1344/squidclamav</a></font></div><div class=""><font color="#001e57" class="">adaptation_access service_resp allow all</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">acl test-header dstdomain<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://test.com" class="">test.com</a></font></div><div class=""><font color="#001e57" class="">request_header_add X-TEST-GUID TEST test-header</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">#Custom Error Pages</font></div><div class=""><font color="#001e57" class="">error_directory /opt/www/squid</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""># Squid listen Port</font></div><div class=""><font color="#001e57" class="">https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""># SSL Bump Config</font></div><div class=""><font color="#001e57" class="">always_direct allow all</font></div><div class=""><font color="#001e57" class="">ssl_bump server-first all </font></div><div class=""><font color="#001e57" class="">sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB</font></div><div class=""><font color="#001e57" class="">sslcrtd_children 32 startup=5 idle=1</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</font></div><div class=""><font color="#001e57" class="">sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class=""><br class=""></font></div><div class=""><font color="#001e57" class="">cache_dir aufs /var/cache/squid 40000 16 256</font></div><div class=""><font color="#001e57" class="">store_dir_select_algorithm round-robin</font></div><div class=""><font color="#001e57" class="">minimum_object_size 0 KB</font></div><div class=""><font color="#001e57" class="">maximum_object_size 96 MB</font></div><div class=""><font color="#001e57" class="">memory_pools off</font></div><div class=""><font color="#001e57" class="">quick_abort_min 0 KB</font></div><div class=""><font color="#001e57" class="">quick_abort_max 0 KB</font></div><div class=""><font color="#001e57" class="">log_icp_queries off</font></div><div class=""><font color="#001e57" class="">client_db off</font></div><div class=""><font color="#001e57" class="">cache_mem 1500 MB</font></div><div class=""><font color="#001e57" class="">buffered_logs on</font></div><div class=""><font color="#001e57" class="">half_closed_clients off</font></div><div class=""><font color="#001e57" class="">dns_nameservers 10.192.0.1</font></div></div><div class="">=======================================================</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><font face="Times" class="" style="font-size: 14px;"><b class="">i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .</b></font></div><div class=""><font face="Times" class="" style="font-size: 14px;"><b class=""><br class=""></b></font></div><div class=""><font face="Times" class="" style="font-size: 14px;"><b class=""><br class=""></b></font></div><div class=""><font face="Times" class="" style="font-size: 14px;"><b class="">thank you </b></font></div></div></div></body></html>