<div dir="ltr">Tks, you have how-to for configure transparent proxy in squid current version or in old versions to https?I want test in my envirimont lab.<br><br></div><br><div class="gmail_quote"><div dir="ltr">Em qui, 23 de ago de 2018 às 16:32, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 08/23/2018 12:40 PM, Rodrigo Cunha wrote:<br>
> Squid not work with transparent proxy in https,<br>
<br>
That statement is misleading or incorrect. Squid can be configured to<br>
successfully intercept HTTPS traffic in many environments. Intercepted<br>
TLS traffic can then be inspected and spliced (or even bumped to the<br>
HTTP level where possible and necessary).<br>
<br>
<br>
> that request is processed directily in your browser for security<br>
> pollices.<br>
<br>
Yes, but so is every request, including HTTPS requests that go through<br>
proxy/CONNECT tunnels. Intercepting proxies do not change much compared<br>
to forward proxies as far as browser HTTPS policies are concerned.<br>
Browsers consider them all to be (a part of) the untrusted internet<br>
between the client and the origin server.<br>
<br>
<br>
> If a server process requests https betwen client and server, that server<br>
> is a "man in the meadle",<br>
<br>
The same applies to processing HTTPS requests that go through<br>
proxy/CONNECT tunnels. Both intercepting and forward proxies are men in<br>
the middle.<br>
<br>
<br>
I am writing this correction just to reduce confusion for others that<br>
might find this email thread later. This correction itself does not<br>
address the OP problem.<br>
<br>
<br>
Alex.<br>
<br>
<br>
> Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович<br>
> <<a href="mailto:a.zubarev@generium.ru" target="_blank">a.zubarev@generium.ru</a> <mailto:<a href="mailto:a.zubarev@generium.ru" target="_blank">a.zubarev@generium.ru</a>>> escreveu:<br>
> <br>
> Thank you, Louis! ____<br>
> <br>
> Is there some workaround? May be I can to put that’s kind of sites<br>
> without filtering?____<br>
> <br>
> __ __<br>
> <br>
> *From:*squid-users <<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>>> *On Behalf Of<br>
> *L.P.H. van Belle<br>
> *Sent:* Thursday, August 23, 2018 4:38 PM<br>
> *To:* <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> *Subject:* Re: [squid-users] Transparent squid configuration<br>
> problem.____<br>
> <br>
> __ __<br>
> <br>
> i noticed the following : dig caa <a href="http://habr.com" rel="noreferrer" target="_blank">habr.com</a> <<a href="http://habr.com" rel="noreferrer" target="_blank">http://habr.com</a>><br>
> ;; ANSWER SECTION:<br>
> <a href="http://habr.com" rel="noreferrer" target="_blank">habr.com</a> <<a href="http://habr.com" rel="noreferrer" target="_blank">http://habr.com</a>>. 3600 IN CAA 0<br>
> iodef "mailto:<a href="mailto:iodef@habr.com" target="_blank">iodef@habr.com</a>"<br>
> <a href="http://habr.com" rel="noreferrer" target="_blank">habr.com</a> <<a href="http://habr.com" rel="noreferrer" target="_blank">http://habr.com</a>>. 3600 IN CAA 0<br>
> issue "<a href="http://comodoca.com" rel="noreferrer" target="_blank">comodoca.com</a> <<a href="http://comodoca.com" rel="noreferrer" target="_blank">http://comodoca.com</a>>"____<br>
> <br>
> So you cant bump this site, its protecting its certificates with a<br>
> CAA/DANE dns record. ____<br>
> <br>
> ____<br>
> <br>
> Greetz, ____<br>
> <br>
> ____<br>
> <br>
> Louis____<br>
> <br>
> ____<br>
> <br>
> ____<br>
> <br>
> ____<br>
> <br>
> __ __<br>
> <br>
> ------------------------------------------------------------------------<br>
> <br>
> *Van:*squid-users<br>
> [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@lists.squid-cache.org</a>] *Namens<br>
> *??????? ????????? ?????????????<br>
> *Verzonden:* donderdag 23 augustus 2018 15:22<br>
> *Aan:* <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> *Onderwerp:* [squid-users] Transparent squid configuration<br>
> problem.____<br>
> <br>
> Hi! I have some problems with configuration of squid.____<br>
> <br>
> __ __<br>
> <br>
> What I need:____<br>
> <br>
> http/https transparent proxy server based on Debian Stretch with<br>
> some blacklisted and whitelisted domains____<br>
> <br>
> __ __<br>
> <br>
> I’ve used many tutorials and squid.wiki through installation<br>
> process and it almost work! But I have the last problem.____<br>
> <br>
> __ __<br>
> <br>
> When I tried to connect to some websites like a <a href="https://habr.com" rel="noreferrer" target="_blank">https://habr.com</a><br>
> I have got HTTP ERROR 503. Ive tried to find solution at forums<br>
> but no one helped me. I know the answer is simple and its here<br>
> but cannt find it by myself.____<br>
> <br>
> __ __<br>
> <br>
> Here is my squid.conf, cache.log, access.log and iptables<br>
> script.____<br>
> <br>
> __ __<br>
> <br>
> Please help! J____<br>
> <br>
> __ __<br>
> <br>
> Squid.conf:____<br>
> <br>
> __ __<br>
> <br>
> dns_v4_first on____<br>
> <br>
> __ __<br>
> <br>
> acl network src <a href="http://10.84.0.0/16" rel="noreferrer" target="_blank">10.84.0.0/16</a> <<a href="http://10.84.0.0/16" rel="noreferrer" target="_blank">http://10.84.0.0/16</a>>____<br>
> <br>
> __ __<br>
> <br>
> acl SSL_ports port 443____<br>
> <br>
> acl Safe_ports port 80 # http____<br>
> <br>
> acl Safe_ports port 21 # ftp____<br>
> <br>
> acl Safe_ports port 443 # https____<br>
> <br>
> acl Safe_ports port 70 # gopher____<br>
> <br>
> acl Safe_ports port 210 # wais____<br>
> <br>
> acl Safe_ports port 1025-65535 # unregistered ports____<br>
> <br>
> acl Safe_ports port 280 # http-mgmt____<br>
> <br>
> acl Safe_ports port 488 # gss-http____<br>
> <br>
> acl Safe_ports port 591 # filemaker____<br>
> <br>
> acl Safe_ports port 777 # multiling http____<br>
> <br>
> acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" #<br>
> list of blocked websites here____<br>
> <br>
> acl CONNECT method CONNECT____<br>
> <br>
> __ __<br>
> <br>
> http_access deny blacklist____<br>
> <br>
> http_access deny !Safe_ports____<br>
> <br>
> http_access deny CONNECT !SSL_ports____<br>
> <br>
> __ __<br>
> <br>
> http_access allow all____<br>
> <br>
> __ __<br>
> <br>
> http_port 3130____<br>
> <br>
> __ __<br>
> <br>
> http_port 3128 intercept____<br>
> <br>
> https_port 3129 intercept ssl-bump<br>
> cert=/etc/squid/ssl_cert/vproxy2.pem<br>
> key=/etc/squid/ssl_cert/vproxy2.pem____<br>
> <br>
> __ __<br>
> <br>
> #always_direct allow all____<br>
> <br>
> ssl_bump server-first all____<br>
> <br>
> #sslproxy_cert_error deny all____<br>
> <br>
> #sslproxy_flags DONT_VERIFY_PEER____<br>
> <br>
> __ __<br>
> <br>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M<br>
> 4MB____<br>
> <br>
> sslcrtd_children 8 startup=1 idle=1____<br>
> <br>
> __ __<br>
> <br>
> coredump_dir /var/spool/squid____<br>
> <br>
> __ __<br>
> <br>
> # Add any of your own refresh_pattern entries above these.____<br>
> <br>
> refresh_pattern ^ftp: 1440 20% 10080____<br>
> <br>
> refresh_pattern ^gopher: 1440 0% 1440____<br>
> <br>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0____<br>
> <br>
> refresh_pattern . 0 20% 4320____<br>
> <br>
> __ __<br>
> <br>
> shutdown_lifetime 1 second____<br>
> <br>
> __ __<br>
> <br>
> cache.log:____<br>
> <br>
> __ __<br>
> <br>
> Maximum Resident Size: 123312 KB____<br>
> <br>
> Page faults with physical i/o: 7____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Logfile: closing log<br>
> daemon:/var/log/squid/access.log____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Logfile Daemon: closing log<br>
> daemon:/var/log/squid/access.log____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Open FD UNSTARTED 6 DNS Socket<br>
> IPv6____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Open FD READ/WRITE 7 DNS Socket<br>
> IPv4____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Open FD UNSTARTED 10 IPC UNIX<br>
> STREAM Parent____<br>
> <br>
> 2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting<br>
> normally.____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Set Current Directory to<br>
> /var/spool/squid____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23<br>
> for x86_64-pc-linux-gnu...____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Service Name: squid____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Process ID 1209____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Process Roles: worker____<br>
> <br>
> 2018/08/23 16:19:32 kid1| With 65535 file descriptors available____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Initializing IP Cache...____<br>
> <br>
> 2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6____<br>
> <br>
> 2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Adding domain generium.corp from<br>
> /etc/resolv.conf____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from<br>
> /etc/resolv.conf____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from<br>
> /etc/resolv.conf____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Logfile: opening log<br>
> daemon:/var/log/squid/access.log____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Logfile Daemon: opening log<br>
> /var/log/squid/access.log____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Local cache digest enabled;<br>
> rebuild/rewrite every 3600/3600 sec____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Store logging disabled____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated<br>
> 20164 objects____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Target number of buckets: 1008____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Using 8192 Store buckets____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Max Mem size: 262144 KB____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Max Swap size: 0 KB____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Using Least Load store dir selection____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Set Current Directory to<br>
> /var/spool/squid____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.____<br>
> <br>
> 2018/08/23 16:19:32 kid1| HTCP Disabled.____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Adaptation support is off.____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at<br>
> local=[::]:3130 remote=[::] FD 12 flags=9____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket<br>
> connections at local=[::]:3128 remote=[::] FD 13 flags=41____<br>
> <br>
> 2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped<br>
> HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14<br>
> flags=41____<br>
> <br>
> 2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...____<br>
> <br>
> 2018/08/23 16:19:32| pinger: ICMP socket opened.____<br>
> <br>
> 2018/08/23 16:19:32| pinger: ICMPv6 socket opened____<br>
> <br>
> 2018/08/23 16:19:32| Pinger exiting.____<br>
> <br>
> 2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects____<br>
> <br>
> __ __<br>
> <br>
> Accesslog:____<br>
> <br>
> __ __<br>
> <br>
> 1535030545.214 0 10.84.77.52 TAG_NONE/503 382 GET<br>
> <a href="https://habr.com/" rel="noreferrer" target="_blank">https://habr.com/</a> - ORIGINAL_DST/<a href="http://178.248.237.68" rel="noreferrer" target="_blank">178.248.237.68</a><br>
> <<a href="http://178.248.237.68" rel="noreferrer" target="_blank">http://178.248.237.68</a>> text/html____<br>
> <br>
> 1535030545.442 608 10.84.77.52 TAG_NONE/200 0 CONNECT<br>
> <a href="http://52.4.157.193:443" rel="noreferrer" target="_blank">52.4.157.193:443</a> <<a href="http://52.4.157.193:443" rel="noreferrer" target="_blank">http://52.4.157.193:443</a>> -<br>
> ORIGINAL_DST/<a href="http://52.4.157.193" rel="noreferrer" target="_blank">52.4.157.193</a> <<a href="http://52.4.157.193" rel="noreferrer" target="_blank">http://52.4.157.193</a>> -____<br>
> <br>
> 1535030545.442 617 10.84.77.52 TAG_NONE/200 0 CONNECT<br>
> <a href="http://52.204.140.44:443" rel="noreferrer" target="_blank">52.204.140.44:443</a> <<a href="http://52.204.140.44:443" rel="noreferrer" target="_blank">http://52.204.140.44:443</a>> -<br>
> ORIGINAL_DST/<a href="http://52.204.140.44" rel="noreferrer" target="_blank">52.204.140.44</a> <<a href="http://52.204.140.44" rel="noreferrer" target="_blank">http://52.204.140.44</a>> -____<br>
> <br>
> 1535030545.717 422 10.84.77.52 TAG_NONE/200 0 CONNECT<br>
> <a href="http://52.204.140.44:443" rel="noreferrer" target="_blank">52.204.140.44:443</a> <<a href="http://52.204.140.44:443" rel="noreferrer" target="_blank">http://52.204.140.44:443</a>> -<br>
> ORIGINAL_DST/<a href="http://52.204.140.44" rel="noreferrer" target="_blank">52.204.140.44</a> <<a href="http://52.204.140.44" rel="noreferrer" target="_blank">http://52.204.140.44</a>> -____<br>
> <br>
> 1535030545.879 36 10.84.77.52 TCP_MISS/204 415 POST<br>
> <a href="https://www.google.ru/gen_204" rel="noreferrer" target="_blank">https://www.google.ru/gen_204</a>? - ORIGINAL_DST/<a href="http://64.233.162.94" rel="noreferrer" target="_blank">64.233.162.94</a><br>
> <<a href="http://64.233.162.94" rel="noreferrer" target="_blank">http://64.233.162.94</a>> text/html____<br>
> <br>
> 1535030546.522 77 10.84.77.52 TAG_NONE/200 0 CONNECT<br>
> <a href="http://178.248.237.68:443" rel="noreferrer" target="_blank">178.248.237.68:443</a> <<a href="http://178.248.237.68:443" rel="noreferrer" target="_blank">http://178.248.237.68:443</a>> -<br>
> ORIGINAL_DST/<a href="http://178.248.237.68" rel="noreferrer" target="_blank">178.248.237.68</a> <<a href="http://178.248.237.68" rel="noreferrer" target="_blank">http://178.248.237.68</a>> -____<br>
> <br>
> 1535030546.623 95 10.84.77.52 TAG_NONE/200 0 CONNECT<br>
> <a href="http://178.248.237.68:443" rel="noreferrer" target="_blank">178.248.237.68:443</a> <<a href="http://178.248.237.68:443" rel="noreferrer" target="_blank">http://178.248.237.68:443</a>> -<br>
> ORIGINAL_DST/<a href="http://178.248.237.68" rel="noreferrer" target="_blank">178.248.237.68</a> <<a href="http://178.248.237.68" rel="noreferrer" target="_blank">http://178.248.237.68</a>> -____<br>
> <br>
> 1535030546.625 0 10.84.77.52 TAG_NONE/503 382 GET<br>
> <a href="https://habr.com/" rel="noreferrer" target="_blank">https://habr.com/</a> - ORIGINAL_DST/<a href="http://178.248.237.68" rel="noreferrer" target="_blank">178.248.237.68</a><br>
> <<a href="http://178.248.237.68" rel="noreferrer" target="_blank">http://178.248.237.68</a>> text/html____<br>
> <br>
> __ __<br>
> <br>
> Уведомление о конфиденциальности: это электронное сообщение и<br>
> любые документы, приложенные к нему, могут содержать<br>
> конфиденциальную информацию. Настоящим уведомляем Вас о том, что<br>
> если это сообщение не предназначено Вам, использование,<br>
> копирование или распространение информации, содержащейся в<br>
> настоящем сообщении, а также осуществление любых действий на<br>
> основе этой информации строго запрещено. Если Вы получили это<br>
> сообщение по ошибке, пожалуйста, сообщите об этом отправителю по<br>
> электронной почте и удалите это сообщение. Confidentiality<br>
> notice: This e-mail transmission and any attachments included<br>
> may contain confidential information. If you are not the<br>
> intended recipient, you are hereby notified that any disclosure,<br>
> copying, distribution, or reliance upon the content of this<br>
> e-mail is strictly prohibited. If you have received this e-mail<br>
> transmission in error, please notify sender by e-mail and then<br>
> delete this message from your inbox. ____<br>
> <br>
> Уведомление о конфиденциальности: это электронное сообщение и любые<br>
> документы, приложенные к нему, могут содержать конфиденциальную<br>
> информацию. Настоящим уведомляем Вас о том, что если это сообщение<br>
> не предназначено Вам, использование, копирование или распространение<br>
> информации, содержащейся в настоящем сообщении, а также<br>
> осуществление любых действий на основе этой информации строго<br>
> запрещено. Если Вы получили это сообщение по ошибке, пожалуйста,<br>
> сообщите об этом отправителю по электронной почте и удалите это<br>
> сообщение. Confidentiality notice: This e-mail transmission and any<br>
> attachments included may contain confidential information. If you<br>
> are not the intended recipient, you are hereby notified that any<br>
> disclosure, copying, distribution, or reliance upon the content of<br>
> this e-mail is strictly prohibited. If you have received this e-mail<br>
> transmission in error, please notify sender by e-mail and then<br>
> delete this message from your inbox.<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <br>
> <br>
> <br>
> -- <br>
> Atenciosamente,<br>
> Rodrigo da Silva Cunha<br>
> São Gonçalo, RJ - Brasil<br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Atenciosamente,<br>Rodrigo da Silva Cunha<br></div><div>São Gonçalo, RJ - Brasil<br></div><div dir="ltr"><br></div></div></div></div></div></div>