<div dir="ltr">sorry guys,<div><br></div><div>i was too hurry.</div><div>it doesn't work.</div><div>i've just passed thru NAT, i forgot to enable proxy in browser.</div><div>so i will dig deeper</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">чт, 18 окт. 2018 г. в 18:03, Timur Lagutenko <<a href="mailto:timur.lagutenko@gmail.com">timur.lagutenko@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">Dear friends,<div><br></div><div>I have good news!</div><div>i upgraded my openssl package from openssl-1.0.2 up to openssl111 (FreeBSD 11.2)</div><div>this action has resolved the issues with <a href="http://youtube.com" target="_blank">youtube.com</a> and some other sites.</div><div>now everything works perfect.</div><div><br></div><div>thank you very much for your attention!</div><div>best regards!</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">ср, 17 окт. 2018 г. в 10:37, Timur Lagutenko <<a href="mailto:timur.lagutenko@gmail.com" target="_blank">timur.lagutenko@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">I will try fresh installation of FreeBSD 11.2-RELEASE<div>And see how it works.</div><div>Maybe something was corrupted during upgrade.</div><div><br></div><div>Just FYI please look on my pf.conf and squid.conf:</div><div><br></div><div><br></div><div><div><font face="monospace, monospace"><b># cat /etc/pf.conf</b></font></div><div><font face="monospace, monospace">outif=re0 #outer interface</font></div><div><font face="monospace, monospace">inif=re1 #iner interface</font></div><div><font face="monospace, monospace">outip="(" $outif ")" #outer ip</font></div><div><font face="monospace, monospace">inip="(" $inif ")" #iner ip</font></div><div><font face="monospace, monospace">innw=$inif:network #iner network</font></div><div><font face="monospace, monospace">inbc=$inif:broadcast #iner broadcast</font></div><div><font face="monospace, monospace">bc="255.255.255.255" #anycast</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">set skip on lo0</font></div><div><font face="monospace, monospace">set block-policy drop</font></div><div><font face="monospace, monospace">scrub in all</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">nat on $outif from $innw to any -> $outip</font></div><div><font face="monospace, monospace">rdr on $inif proto {tcp,udp} from $innw to any port 123 -> $inip port 123</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">block log all</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">pass from $innw to $innw</font></div><div><span style="font-family:monospace,monospace"><br></span></div><div><span style="font-family:monospace,monospace"># this is my machine client ip</span></div><div><span style="font-family:monospace,monospace"># i have allowed full access form my PC</span></div><div><span style="font-family:monospace,monospace">pass from 192.168.0.104 to any</span><br></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># this 2 lines passes any traffic from gateway itself</font></div><div><font face="monospace, monospace">pass from $outip to any</font></div><div><font face="monospace, monospace">pass from $inip to any</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># i don't know why but option "set skip on lo0" doesn't work</font></div><div><font face="monospace, monospace"># so i additionally pass the whole traffic thru loopback interface</font></div><div><font face="monospace, monospace">pass on lo0 from any to any</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">###########################################################################</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><div><b># cat /usr/local/etc/squid/squid.conf</b></div><div>visible_hostname "Squid on freebsd"</div><div>acl localnet src <a href="http://192.168.0.0/20" target="_blank">192.168.0.0/20</a> # RFC1918 possible internal network<br></div><div>shutdown_lifetime 5 seconds<br></div><div>access_log daemon:/var/log/squid/access.log squid<br></div><div><br></div><div>acl SSL_ports port 1-65535</div><div>acl Safe_ports port 1-65535</div><div>acl CONNECT method CONNECT</div><div><br></div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports<br></div><div><br></div><div>http_access allow localnet manager<br></div><div>http_access deny manager</div><div><br></div><div>http_access deny to_localhost</div><div><br></div><div>#</div><div># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</div><div>#</div><div><br></div><div><br></div><div>acl baddom dstdomain <a href="http://ardownload.adobe.com" target="_blank">ardownload.adobe.com</a> <a href="http://agsupdate.adobe.com" target="_blank">agsupdate.adobe.com</a> \</div><div>.<a href="http://microsoft.com" target="_blank">microsoft.com</a> .<a href="http://windowsupdates.com" target="_blank">windowsupdates.com</a> .<a href="http://oneclient.sfx.ms" target="_blank">oneclient.sfx.ms</a> \</div><div>.<a href="http://windows.com" target="_blank">windows.com</a> .<a href="http://windowsupdate.com" target="_blank">windowsupdate.com</a></div><div><br></div><div>acl bdx dstdom_regex -n -i porn<br></div><div><br></div><div>http_access deny bdx<br></div><div>http_access deny baddom</div><div><br></div><div>http_access allow localnet</div><div>http_access allow localhost</div><div><br></div><div>http_access deny all</div><div><br></div><div>http_port <a href="http://192.168.0.254:3128" target="_blank">192.168.0.254:3128</a><br></div><div># in future i have plans for 3129 port</div><div># for now it simple listening additional port</div><div>http_port <a href="http://192.168.0.254:3129" target="_blank">192.168.0.254:3129</a></div><div> <br></div><div>cache_dir ufs /var/squid/cache 10240 8 16<br></div><div>maximum_object_size 4096 MB</div><div>coredump_dir /var/squid/cache<br></div><div><br></div><div>quick_abort_min -1 KB<br></div><div><br></div><div>refresh_pattern ^ftp: 1440 20% 10080</div><div>refresh_pattern ^gopher: 1440 0% 1440</div><div>refresh_pattern -i (/cgi-bin/) 0 0% 0</div><div>refresh_pattern . 0 20% 4320</div><div><br></div></font></div><div><font face="monospace, monospace"><br></font></div><div><br></div><div><br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">ср, 17 окт. 2018 г. в 10:06, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 17/10/18 5:17 PM, Timur Lagutenko wrote:<br>
> i'm sure that the issue is not related to firewall rules.<br>
> because if I pass traffic from client IP (using NAT, browser is not<br>
> configured to use proxy) it works.<br>
<br>
Ah, you said earlier that you did not have SSL-Bump features enabled.<br>
<br>
How are you intercepting the port 443 HTTPS traffic with NAT and<br>
converting it to port 80 or 3128 syntax HTTP for Squid to handle?<br>
<br>
Squid cannot MITM the "raw" port 443 TLS without SSL-Bump being configured.<br>
<br>
<br>
Also since it is a Google service it may not be using TCP port 443 at<br>
all. It may actually be performing their QUIC protocol instead of HTTPS.<br>
That has to be blocked entirely to be sure the proxy is actually<br>
receiving all the relevant traffic.<br>
<br>
<br>
<br>
> I think it is related to some SSL/TLS lib in the system.<br>
> Because today i've tried CLI browser - links.<br>
> Launching it directly from gateway (which has direct access to web), i<br>
> was able to browse any site in text mode.<br>
> Except youtube.<br>
> So i guess it is related to some missing ssl lib.<br>
> Could you please suggest how can i find all required libs for my squid?<br>
> <br>
<br>
If Squid starts without crashing the libs it has been compiled to use<br>
are present on your machine.<br>
<br>
If you built it yourself on the same machine, it only uses library<br>
features that machine had at time of the build - so maybe a rebuild is<br>
needed to get access to newer library features.<br>
<br>
When it comes to TLS though the library itself is doing the config parse<br>
and setup for crypto things. So Squid does not particularly need to even<br>
be configured to use features the library enables by default. Which<br>
usually includes the current industry-standard ciphers etc.<br>
<br>
<br>
If Squid accepts your config file and does not produce an ERROR or FATAL<br>
message when you run "squid -k parse" all the libs required to run your<br>
config have been compiled in and loaded.<br>
<br>
<br>
> # squid -v<br>
> Squid Cache: Version 3.5.28<br>
> Service Name: squid<br>
> <br>
> This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on<br>
> distribution see <a href="https://www.openssl.org/source/license.html" rel="noreferrer" target="_blank">https://www.openssl.org/source/license.html</a><br>
<br>
<br>
Your problem may be TLS/1.3 related. OpenSSL 1.0.* only supports a max<br>
of TLS/1.2. Squid-3.5 also only supports OpenSSL 1.0.* library.<br>
<br>
AFAIK, Google are one of the organizations heavily pushing TLS changes<br>
and bias their services towards forcing the latest crypto whenever they<br>
can. It is strange that others have not reported issues en-mass, so this<br>
is somewhat unlikely.<br>
<br>
<br>
Other admin mentioning similar behaviour with YouTube have turned out to<br>
be TLS restrictions that pretty much prohibit the weaker crypto Google<br>
services still allow and only let the very advanced ones (not supported<br>
by their Squid) work.<br>
<br>
But also those restrictions were done via SSL-Bump configs. Since you<br>
don't use SSL-Bump it is unlikely to be the same - which leaves us only<br>
with the network/firewall level issues as known things to look at.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div></div>
</blockquote></div>