<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>Doing the change below works. I can now access ebay.fr through
the raspberry pi.<br>
</p>
<p>Best regards,</p>
<p>JF<br>
</p>
<div class="moz-cite-prefix">Le 04/01/2021 à 13:04,
<a class="moz-txt-link-abbreviated" href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a> a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:000801d6e291$b5f42520$21dc6f60$@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Try as test to remove:<o:p></o:p></p>
<p class="MsoNormal">ssl_bump terminate all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ie use only the next bump rules:<o:p></o:p></p>
<p class="MsoNormal">### START<o:p></o:p></p>
<p class="MsoNormal"># TLS/SSL bumping definitions<o:p></o:p></p>
<p class="MsoNormal">acl tls_s1_connect at_step SslBump1<o:p></o:p></p>
<p class="MsoNormal">acl tls_s2_client_hello at_step SslBump2<o:p></o:p></p>
<p class="MsoNormal">acl tls_s3_server_hello at_step SslBump3<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ssl_bump peek tls_s1_connect<o:p></o:p></p>
<p class="MsoNormal">ssl_bump splice all<br>
### END<o:p></o:p></p>
<p class="MsoNormal">The above is from an example at ufdbguard
manual.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Let me know if you are still having issues
in full splice mode.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Eliezer<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">----<o:p></o:p></p>
<p class="MsoNormal">Eliezer Croitoru<o:p></o:p></p>
<p class="MsoNormal">Tech Support<o:p></o:p></p>
<p class="MsoNormal">Mobile: +972-5-28704261<o:p></o:p></p>
<p class="MsoNormal">Email: <a
href="mailto:ngtech1ltd@gmail.com" moz-do-not-send="true">ngtech1ltd@gmail.com</a><o:p></o:p></p>
<p class="MsoNormal">Zoom: Coming soon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> jean francois hasson
<a class="moz-txt-link-rfc2396E" href="mailto:jfhasson@club-internet.fr"><jfhasson@club-internet.fr></a> <br>
<b>Sent:</b> Monday, January 4, 2021 8:51 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:ngtech1ltd@gmail.com">ngtech1ltd@gmail.com</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] Setting up a transparent
http and https proxy server using squid 4.6<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi,<o:p></o:p></p>
<p>Thank you for looking at my question.<o:p></o:p></p>
<p>I dowloaded the squid 4.6 source code from <a
href="http://ftp.debian.org/debian/pool/main/s/squid/"
moz-do-not-send="true">http://ftp.debian.org/debian/pool/main/s/squid/</a>
and selected squid_4.6.orig.tar.gz,
squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc.
I modified the debian/rules file by adding to
DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl,
--enable-ssl and --enable-ssl-crtd.<o:p></o:p></p>
<p>The squid -v output is :<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Squid Cache: Version 4.6<br>
Service Name: squid<br>
Raspbian linux<br>
<br>
This binary uses OpenSSL 1.0.2q 20 Nov 2018. For legal
restrictions on distribution see <a
href="https://www.openssl.org/source/license.html"
moz-do-not-send="true">https://www.openssl.org/source/license.html</a><br>
<br>
configure options: '--build=arm-linux-gnueabihf'
'--prefix=/usr' '--includedir=${prefix}/include'
'--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2
-fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security
-Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++'
'--with-build-environment=default'
'--enable-build-info=Raspbian linux'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man'
'--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,SMB_LM'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-eui'
'--enable-esi' '--enable-icmp' '--enable-zph-qos'
'--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-gnutls' '--with-openssl'
'--enable-ssl' '--enable-ssl-crtd'
'--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf'
'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2
-fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security
-Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed
-latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2
-fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security'<o:p></o:p></p>
</blockquote>
<p>When I run openssl version I get 1.1.1d.<o:p></o:p></p>
<p>I hope it helps.<o:p></o:p></p>
<p>Best regards,<o:p></o:p></p>
<p>JF<o:p></o:p></p>
<div>
<p class="MsoNormal">Le 03/01/2021 à 21:55, <a
href="mailto:ngtech1ltd@gmail.com" moz-do-not-send="true">ngtech1ltd@gmail.com</a>
a écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hey,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am missing a bit of the context, like:<o:p></o:p></p>
<p class="MsoNormal">Did you self compiled squid? Is it from
the OS repository?<o:p></o:p></p>
<p class="MsoNormal">Squid -v might help a bit to understand
what you do have enabled in your Squid.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Eliezer<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">----<o:p></o:p></p>
<p class="MsoNormal">Eliezer Croitoru<o:p></o:p></p>
<p class="MsoNormal">Tech Support<o:p></o:p></p>
<p class="MsoNormal">Mobile: +972-5-28704261<o:p></o:p></p>
<p class="MsoNormal">Email: <a
href="mailto:ngtech1ltd@gmail.com"
moz-do-not-send="true">ngtech1ltd@gmail.com</a><o:p></o:p></p>
<p class="MsoNormal">Zoom: Coming soon<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> squid-users <a
href="mailto:squid-users-bounces@lists.squid-cache.org"
moz-do-not-send="true"><squid-users-bounces@lists.squid-cache.org></a>
<b>On Behalf Of </b>jean francois hasson<br>
<b>Sent:</b> Thursday, December 31, 2020 11:10 AM<br>
<b>To:</b> <a
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> [squid-users] Setting up a transparent
http and https proxy server using squid 4.6<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>Hi,<o:p></o:p></p>
<p>I am trying to create for my home network a transparent
proxy to implement filtering rules based on website names
mainly.<o:p></o:p></p>
<p>I have been looking at using a Raspberry pi 3B+ running pi
OS. I configured it to be a Wifi access point using RaspAP
quick install. The Wifi network on which the filtering
option is to be implemented is with IP 10.3.141.xxx. The
router is at address 10.3.141.1.<o:p></o:p></p>
<p>I have the following squid.conf file which I tried to
create based on different mails, websites and blogs I read :<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>acl SSL_ports port 443 #https<br>
acl SSL_ports port 563 # snews<br>
acl SSL_ports port 873 # rsync<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
<br>
#Le réseau local<br>
acl LocalNet src 10.3.141.0/24<br>
<br>
acl bump_step1 at_step SslBump1<br>
acl bump_step2 at_step SslBump2<br>
acl bump_step3 at_step SslBump3<br>
<br>
#Définition des autorisations<br>
http_access deny !Safe_ports<br>
#http_access deny CONNECT !SSL_ports<br>
http_access allow localhost manager<br>
http_access deny manager<br>
http_access allow localhost<br>
http_access allow LocalNet<br>
http_access deny all<br>
<br>
#Définition des ports d'écoute<br>
http_port 8080<br>
http_port 3128 intercept<br>
https_port 3129 intercept ssl-bump \<br>
tls-cert=/etc/squid/cert/example.crt \<br>
tls-key=/etc/squid/cert/example.key \<br>
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB<br>
<br>
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB<br>
sslcrtd_children 5<br>
<br>
ssl_bump peek all<br>
acl tls_whitelist ssl::server_name .example.com<br>
ssl_bump splice tls_whitelist<br>
ssl_bump terminate all<br>
<br>
coredump_dir /var/spool/squid<br>
<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
<br>
cache_dir ufs /cache 400 16 256<br>
cache_access_log /var/log/squid/access.log<br>
cache_effective_user proxy<o:p></o:p></p>
</blockquote>
<p>If I set up on a device connected to the access point a
proxy manually ie 10.3.141.1 on port 8080, I can access the
internet. If I put the following rules for iptables to use
in files rules.v4 :<o:p></o:p></p>
<p>*nat<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.3.141.1:3128<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 3128<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 10.3.141.1:3129<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3129<br>
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE<br>
COMMIT<br>
Now, if I remove the manual proxy configuration of the
device connected to the access point, I can't connect to the
internet. If I leave the manual proxy configuration it does
work and there is activity logged in
/var/log/squid/access.log.<o:p></o:p></p>
<p>Please let me know what might be wrong in my configuration
if possible.<o:p></o:p></p>
<p>Best regards,<o:p></o:p></p>
<p>JF<o:p></o:p></p>
<p> <o:p></o:p></p>
</blockquote>
</div>
</blockquote>
</body>
</html>