<div dir="ltr"><div>Hi all, thanks to Rafael and Amos, I've been able to set up a Squid Proxy with a mikrotik. ssl bumping is enabled on squid and i have connected it to greasyspoon for content adaptation, but i can't be sure if ssl bumping is working because i only see adapted content over http and not https.</div><div><br></div><div>here is my squid.conf</div><div>cache_effective_user proxy<br>acl localnet src <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a><br>acl localnet src <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a><br>acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br>acl localnet src fc00::/7<br>acl localnet src fe80::/10<br>acl SSL_ports port 443<br>acl Safe_ports port 80          # http<br>acl Safe_ports port 21          # ftp<br>acl Safe_ports port 443         # https<br>acl Safe_ports port 70          # gopher<br>acl Safe_ports port 210         # wais<br>acl Safe_ports port 1025-65535  # unregistered ports<br>acl Safe_ports port 280         # http-mgmt<br>acl Safe_ports port 488         # gss-http<br>acl Safe_ports port 591         # filemaker<br>acl Safe_ports port 777         # multiling http<br>acl CONNECT method CONNECT<br>http_port 3128 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem<br>http_port 3126 intercept<br>https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem<span class="gmail-im"><br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>http_access allow localnet<br>http_access allow localhost<br></span>http_access deny all<br>sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/spool/squid_ssldb -M 4MB<br>acl step1 at_step SslBump1<br>acl step2 at_step SslBump2<br>acl step3 at_step SslBump3<br>ssl_bump peek step1 all<br>ssl_bump bump all<br>ssl_bump bump ssl_force_bump<br>ssl_bump splice localhost<br>acl ssl_error_domains dstdomain "/opt/websafety/etc/squid/ssl/error/domains.conf"<br>acl ssl_error_ips     dst       "/opt/websafety/etc/squid/ssl/error/ips.conf"<br>acl ssl_error_ips     dst       "/opt/websafety/etc/squid/ssl/error/subnets.conf"<br>sslproxy_cert_error allow ssl_error_domains<br>sslproxy_cert_error allow ssl_error_ips<br>shutdown_lifetime 10 seconds<br>adaptation_access greasyspoon allow all<br>visible_hostname proxy.example.lan<br>acl cache_exclude_domainname dstdomain "/opt/websafety/etc/squid/cache/exclude/domain_name.conf"<br>acl cache_exclude_domainaddr dst       "/opt/websafety/etc/squid/cache/exclude/domain_ip.conf"<br>acl cache_exclude_domainaddr dst       "/opt/websafety/etc/squid/cache/exclude/domain_subnet.conf"<br>acl cache_exclude_domainaddr dst       "/opt/websafety/etc/squid/cache/exclude/domain_range.conf"<br>acl cache_exclude_useraddr src "/opt/websafety/etc/squid/cache/exclude/user_ip.conf"<br>acl cache_exclude_useraddr src "/opt/websafety/etc/squid/cache/exclude/user_subnet.conf"<br>acl cache_exclude_useraddr src "/opt/websafety/etc/squid/cache/exclude/user_range.conf"<br>acl cache_exclude_useragent   browser -i    "/opt/websafety/etc/squid/cache/exclude/user_agent.conf"<br>acl cache_exclude_schedule    time          "/opt/websafety/etc/squid/cache/exclude/schedule.conf"<br>cache deny cache_exclude_domainname<br>cache deny cache_exclude_domainaddr<br>cache deny cache_exclude_useraddr<br>cache deny cache_exclude_useragent<br>cache deny cache_exclude_schedule<br>acl cache_exclude_contenttype rep_mime_type "/opt/websafety/etc/squid/cache/exclude/content_type.conf"<br>send_hit deny cache_exclude_contenttype<br>store_miss deny cache_exclude_contenttype<span class="gmail-im"><br>refresh_pattern ^ftp:           1440    20%     10080<br>refresh_pattern ^gopher:        1440    0%      1440<br>refresh_pattern -i (/cgi-bin/|\?) 0     0%      0<br></span>refresh_pattern .               0       20%     4320<br>cache_replacement_policy lru<br>minimum_object_size 0 KB<br>maximum_object_size 4096 KB<br>dns_timeout 30 seconds<br>dns_v4_first on<br>icap_enable on<br>icap_preview_enable off<br>icap_preview_size 2048<br>icap_persistent_connections on<br>adaptation_send_client_ip on<br>adaptation_send_username on<br>icap_service greasyspoon respmod_precache icap://<a href="http://127.0.0.1:1344/response" target="_blank">127.0.0.1:1344/response</a> bypass=0<br>cache_mem 256 MB<br>maximum_object_size_in_memory 512 KB<br>memory_replacement_policy lru<br>forwarded_for on<br>forward_max_tries 25</div><div><br></div><div>here is part of my access.log</div><div><div>1540473704.606   1021 10.0.0.250 TAG_NONE/200 0 CONNECT <a href="http://52.97.133.226:443" target="_blank">52.97.133.226:443</a> - HIER_NONE/- -<br>1540473711.552 465997 10.0.0.254 TCP_TUNNEL/200 4350 CONNECT <a href="http://outlook.office365.com:443" target="_blank">outlook.office365.com:443</a> - ORIGINAL_DST/<a href="http://52.97.131.242" target="_blank">52.97.131.242</a> -<br>1540473711.552 163713 10.0.0.254 TCP_TUNNEL/200 4320 CONNECT <a href="http://inbox.google.com:443" target="_blank">inbox.google.com:443</a> - ORIGINAL_DST/<a href="http://216.58.223.197" target="_blank">216.58.223.197</a> -<br>1540473711.552 163689 10.0.0.254 TCP_TUNNEL/200 4231 CONNECT <a href="http://inbox.google.com:443" target="_blank">inbox.google.com:443</a> - ORIGINAL_DST/<a href="http://216.58.223.197" target="_blank">216.58.223.197</a> -<br></div><div><br></div><div>and part of my cache.log</div><div>2018/10/25 11:36:21 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 22 flags=9<br>2018/10/25 11:36:21 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3126 remote=[::] FD 23 flags=41<br>2018/10/25
 11:36:21 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket 
connections at local=[::]:3127 remote=[::] FD 24 flags=41<br>2018/10/25 11:36:22 kid1| storeLateRelease: released 0 objects<br>2018/10/25 11:42:08| Squid is already running!  Process ID 3497<br>2018/10/25 11:46:20| Squid is already running!  Process ID 3497<br>2018/10/25 11:46:24| Squid is already running!  Process ID 3497<br>2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://52.97.133.178:443" target="_blank">52.97.133.178:443</a> remote=<a href="http://10.0.0.250:39627" target="_blank">10.0.0.250:39627</a> FD 39 flags=33 (local IP does not match any domain IP)<br>2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: <a href="http://outlook.office365.com:443" target="_blank">outlook.office365.com:443</a><br>2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://52.97.133.178:443" target="_blank">52.97.133.178:443</a> remote=<a href="http://10.0.0.250:39628" target="_blank">10.0.0.250:39628</a> FD 39 flags=33 (local IP does not match any domain IP)<br>2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: <a href="http://outlook.office365.com:443" target="_blank">outlook.office365.com:443</a><br>2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://52.97.133.178:443" target="_blank">52.97.133.178:443</a> remote=<a href="http://10.0.0.250:39629" target="_blank">10.0.0.250:39629</a> FD 39 flags=33 (local IP does not match any domain IP)</div><div><br></div><div>please i don't know if traffic is being bumped correctly as i only see adapted content over http. Thanks for the anticipated help.</div></div><div><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Nebedum Uchenna<br></div></div></div></div>