<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I found it <div><br></div><div><div># TAG: sslproxy_cert_sign</div><div>#</div><div># sslproxy_cert_sign <signing algorithm> acl ...</div><div>#</div><div># The following certificate signing algorithms are supported:</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span> signTrusted</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>Sign using the configured CA certificate which is usually</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>placed in and trusted by end-user browsers. This is the</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>default for trusted origin server certificates.</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span> signUntrusted</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>This is the default for untrusted origin server certificates</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>that are not self-signed (see ssl::certUntrusted).</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span> signSelf</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>Sign using a self-signed certificate with the right CN to</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>browser. This is the default for self-signed origin server</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>certificates (see ssl::certSelfSigned).</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>This clause only supports fast acl types.</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>When sslproxy_cert_sign acl(s) match, Squid uses the corresponding</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>signing algorithm to generate the certificate and ignores all</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>subsequent sslproxy_cert_sign options (the first match wins). If no</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>acl(s) match, the default signing algorithm is determined by errors</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>detected when obtaining and validating the origin server certificate.</div><div>#</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>be used with sslproxy_cert_adapt, but if and only if Squid is bumping a</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>CONNECT request that carries a domain name. In all other cases (CONNECT</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>to an IP address or an intercepted SSL connection), Squid cannot detect</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>the domain mismatch at certificate generation time when</div><div>#<span class="Apple-tab-span" style="white-space:pre"> </span>bump-server-first is used.</div><div>#Default:</div><div># none</div><div><br></div><div>in Squid.conf I have nothing with that detective. </div><div><br></div><div>Yes I am using SSL bump with this configuration..</div><div><br></div><div><br></div><div><div># This file is automatically generated by pfSense</div><div># Do not edit manually !</div><div><br></div><div>http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</div><div><br></div><div>http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</div><div><br></div><div>https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</div><div><br></div><div>icp_port 0</div><div>digest_generation off</div><div>dns_v4_first on</div><div>pid_filename /var/run/squid/squid.pid</div><div>cache_effective_user squid</div><div>cache_effective_group proxy</div><div>error_default_language en</div><div>icon_directory /usr/local/etc/squid/icons</div><div>visible_hostname Lee_Family.home.arpa</div><div>cache_mgr jonathanlee571@gmail.com</div><div>access_log /var/squid/logs/access.log</div><div>cache_log /var/squid/logs/cache.log</div><div>cache_store_log none</div><div>netdb_filename /var/squid/logs/netdb.state</div><div>pinger_enable on</div><div>pinger_program /usr/local/libexec/squid/pinger</div><div>sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048</div><div>tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt</div><div>tls_outgoing_options capath=/usr/local/share/certs/</div><div>tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</div><div>tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</div><div>sslcrtd_children 10</div><div><br></div><div>logfile_rotate 7</div><div>debug_options rotate=7</div><div>shutdown_lifetime 3 seconds</div><div># Allow local network(s) on interface(s)</div><div>acl localnet src 192.168.1.0/27</div><div>forwarded_for transparent</div><div>httpd_suppress_version_string on</div><div>uri_whitespace strip</div><div>dns_nameservers 127.0.0.1 </div><div>acl block_hours time 00:30-05:00</div><div>ssl_bump terminate all block_hours</div><div>http_access deny all block_hours</div><div>acl getmethod method GET</div><div>acl to_ipv6 dst ipv6</div><div>acl from_ipv6 src ipv6</div><div><br></div><div>#tls_outgoing_options options=0x40000</div><div>#request_header_access Accept-Ranges deny all</div><div>#reply_header_access Accept-Ranges deny all</div><div>#request_header_replace Accept-Ranges none</div><div>#reply_header_replace Accept-Ranges none</div><div><br></div><div><br></div><div>tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS</div><div>tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE</div><div><br></div><div>acl HttpAccess dstdomain "/usr/local/pkg/http.access"</div><div>acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"</div><div>acl rewritedoms dstdomain "/usr/local/pkg/desdom"</div><div><br></div><div>#store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt</div><div>#store_id_children 10 startup=5 idle=1 concurrency=0</div><div>#always_direct allow all</div><div>#store_id_access deny connect</div><div>#store_id_access deny !getmethod</div><div>#store_id_access allow rewritedoms</div><div>#store_id_access deny all</div><div><br></div><div>refresh_all_ims on</div><div>reload_into_ims on</div><div>max_stale 20 years</div><div>minimum_expiry_time 0</div><div><br></div><div>refresh_pattern -i ^http.*squid\.internal.* 43200 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth</div><div><br></div><div>#FACEBOOK</div><div>#refresh_pattern ^https.*.facebook.com/* 10080 80% 43200</div><div><br></div><div>#FACEBOOK IMAGES </div><div>#refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200</div><div>#refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 </div><div>#refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale</div><div>#refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200</div><div>#refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200</div><div>#refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200</div><div><br></div><div>#FACEBOOK VIDEO</div><div>#refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200</div><div>#refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200</div><div><br></div><div>#APPLE STUFF</div><div>refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 refresh-ims</div><div><br></div><div>#apple update</div><div>refresh_pattern -i (download|adcdownload).apple.com/.*\.(pkg|dmg) 4320 100% 43200</div><div>refresh_pattern -i appldnld\.apple\.com 129600 100% 129600</div><div>refresh_pattern -i phobos\.apple\.com 129600 100% 129600</div><div>refresh_pattern -i iosapps\.itunes\.apple\.com 129600 100% 129600</div><div><br></div><div># Updates: Windows</div><div>refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 refresh-ims</div><div>refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 refresh-ims</div><div>refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 refresh-ims</div><div>refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 </div><div>refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 </div><div>refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 </div><div>refresh_pattern -i .*windowsupdate.com/.*\.(cab|exe) 259200 100% 259200 </div><div>refresh_pattern -i .*update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 259200 100% 259200 </div><div>refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 </div><div>refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 </div><div>refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 </div><div>refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200 </div><div>refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*\.(cab|exe|dll|msi|psf) 4320 100% 43200</div><div>#windows update NEW UPDATE 0.04</div><div>refresh_pattern update.microsoft.com/.*\.(cab|exe) 43200 100% 129600 </div><div>refresh_pattern ([^.]+\.)?(download|(windows)?update)\.(microsoft\.)?com/.*\.(cab|exe|msi|msp|psf) 4320 100% 43200 </div><div>refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi|psf) 10080 100% 43200 </div><div>refresh_pattern -i \.update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 </div><div>refresh_pattern -i \.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 </div><div>refresh_pattern -i \.download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 </div><div>refresh_pattern -i \.ws.microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 </div><div> </div><div>#refresh_pattern ([^.]+\.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*\.* 43200 100% 43200 </div><div>#refresh_pattern ([^.]+\.)?.akamai.steamstatic.com/.*\.* 43200 100% 43200</div><div><br></div><div>#refresh_pattern -i ([^.]+\.)?.adobe.com/.*\.(zip|exe) 43200 100% 43200</div><div>#refresh_pattern -i ([^.]+\.)?.java.com/.*\.(zip|exe) 43200 100% 43200</div><div>#refresh_pattern -i ([^.]+\.)?.sun.com/.*\.(zip|exe) 43200 100% 43200</div><div>#refresh_pattern -i ([^.]+\.)?.oracle.com/.*\.(zip|exe|tar.gz) 43200 100% 43200</div><div><br></div><div>refresh_pattern -i appldnld\.apple\.com 43200 100% 43200</div><div>refresh_pattern -i ([^.]+\.)?apple.com/.*\.(ipa) 43200 100% 43200</div><div> </div><div>refresh_pattern -i ([^.]+\.)?.google.com/.*\.(exe|crx) 10080 80% 43200</div><div>refresh_pattern -i ([^.]+\.)?g.static.com/.*\.(exe|crx) 10080 80% 43200</div><div><br></div><div>acl https_login url_regex -i ^https.*(login|Login).*</div><div>cache deny https_login</div><div><br></div><div>range_offset_limit 512 MB windowsupdate</div><div>range_offset_limit 4 MB</div><div>range_offset_limit 0</div><div>quick_abort_min -1 KB</div><div><br></div><div>cache_mem 64 MB</div><div>maximum_object_size_in_memory 256 KB</div><div>memory_replacement_policy heap GDSF</div><div>cache_replacement_policy heap LFUDA</div><div>minimum_object_size 0 KB</div><div>maximum_object_size 512 MB</div><div>cache_dir diskd /var/squid/cache 64000 256 256</div><div>offline_mode off</div><div>cache_swap_low 90</div><div>cache_swap_high 95</div><div>acl donotcache dstdomain "/var/squid/acl/donotcache.acl"</div><div>cache deny donotcache</div><div>cache allow all</div><div># Add any of your own refresh_pattern entries above these.</div><div>refresh_pattern ^ftp: 1440 20% 10080</div><div>refresh_pattern ^gopher: 1440 0% 1440</div><div>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</div><div>refresh_pattern . 0 20% 4320</div><div><br></div><div><br></div><div>#Remote proxies</div><div><br></div><div><br></div><div># Setup some default acls</div><div># ACLs all, manager, localhost, and to_localhost are predefined.</div><div>acl allsrc src all</div><div>acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 </div><div>acl sslports port 443 563 8080 5223 2197</div><div><br></div><div>acl purge method PURGE</div><div>acl connect method CONNECT</div><div><br></div><div># Define protocols used for redirects</div><div>acl HTTP proto HTTP</div><div>acl HTTPS proto HTTPS</div><div><br></div><div># SslBump Peek and Splice</div><div># http://wiki.squid-cache.org/Features/SslPeekAndSplice</div><div># http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</div><div># Match against the current step during ssl_bump evaluation [fast]</div><div># Never matches and should not be used outside the ssl_bump context.</div><div>#</div><div># At each SslBump step, Squid evaluates ssl_bump directives to find</div><div># the next bumping action (e.g., peek or splice). Valid SslBump step</div><div># values and the corresponding ssl_bump evaluation moments are:</div><div># SslBump1: After getting TCP-level and HTTP CONNECT info.</div><div># SslBump2: After getting TLS Client Hello info.</div><div># SslBump3: After getting TLS Server Hello info.</div><div># These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that</div><div># they can be used there for custom configuration.</div><div>acl step1 at_step SslBump1</div><div>acl step2 at_step SslBump2</div><div>acl step3 at_step SslBump3</div><div>acl banned_hosts src "/var/squid/acl/banned_hosts.acl"</div><div>acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"</div><div>acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"</div><div>http_access allow manager localhost</div><div><br></div><div>http_access deny manager</div><div>http_access allow purge localhost</div><div>http_access deny purge</div><div>http_access deny !safeports</div><div>http_access deny CONNECT !sslports</div><div><br></div><div># Always allow localhost connections</div><div>http_access allow localhost</div><div><br></div><div>quick_abort_min 0 KB</div><div>quick_abort_max 0 KB</div><div>quick_abort_pct 95</div><div>request_body_max_size 0 KB</div><div>delay_pools 1</div><div>delay_class 1 2</div><div>delay_parameters 1 -1/-1 -1/-1</div><div>delay_initial_bucket_level 100</div><div>delay_access 1 allow allsrc</div><div><br></div><div># Reverse Proxy settings</div><div><br></div><div>deny_info TCP_RESET allsrc</div><div><br></div><div># Package Integration</div><div>url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf</div><div>url_rewrite_bypass off</div><div>url_rewrite_children 32 startup=8 idle=4 concurrency=0</div><div><br></div><div># Custom options before auth</div><div>#host_verify_strict on</div><div><br></div><div># These hosts are banned</div><div>http_access deny banned_hosts</div><div># Always allow access to whitelist domains</div><div>http_access allow whitelist</div><div># Block access to blacklist domains</div><div>http_access deny blacklist</div><div># List of domains allowed to logging in to Google services</div><div>request_header_access X-GoogApps-Allowed-Domains deny all</div><div>request_header_add X-GoogApps-Allowed-Domains consumer_accounts</div><div># Set YouTube safesearch restriction</div><div>acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com</div><div>request_header_access YouTube-Restrict deny all</div><div>request_header_add YouTube-Restrict none youtubedst</div><div>acl sglog url_regex -i sgr=ACCESSDENIED</div><div>http_access deny sglog</div><div># Custom SSL/MITM options before auth</div><div>cachemgr_passwd disable offline_toggle reconfigure shutdown</div><div>cachemgr_passwd redacted all</div><div>eui_lookup on</div><div>acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?</div><div>acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat</div><div>acl CONNECT method CONNECT</div><div>acl wuCONNECT dstdomain www.update.microsoft.com</div><div>acl wuCONNECT dstdomain sls.microsoft.com</div><div>http_access allow CONNECT wuCONNECT localnet</div><div>http_access allow CONNECT wuCONNECT localhost</div><div>http_access allow windowsupdate localnet</div><div>http_access allow windowsupdate localhost</div><div>http_access allow HttpAccess localnet</div><div>http_access allow HttpAccess localhost</div><div>http_access deny manager</div><div>http_access deny to_ipv6</div><div>http_access deny from_ipv6</div><div><br></div><div>acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"</div><div>acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH</div><div>sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch</div><div>sslproxy_cert_error deny all</div><div><br></div><div>acl splice_only src 192.168.1.8 #Tasha iPhone</div><div>acl splice_only src 192.168.1.10 #Jon iPhone</div><div>acl splice_only src 192.168.1.11 #Amazon Fire</div><div>acl splice_only src 192.168.1.15 #Tasha HP</div><div>acl splice_only src 192.168.1.16 #iPad</div><div><br></div><div>acl splice_only_mac arp redacted</div><div>acl splice_only_mac arp redacted</div><div>acl splice_only_mac arp redacted</div><div>acl splice_only_mac arp redacted</div><div>acl splice_only_mac arp redacted</div><div><br></div><div>acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"</div><div>acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"</div><div><br></div><div>acl markBumped annotate_client bumped=true</div><div>acl active_use annotate_client active=true</div><div>acl bump_only src 192.168.1.3 #webtv</div><div>acl bump_only src 192.168.1.4 #toshiba</div><div>acl bump_only src 192.168.1.5 #imac</div><div>acl bump_only src 192.168.1.9 #macbook</div><div>acl bump_only src 192.168.1.13 #dell</div><div><br></div><div>acl bump_only_mac arp redacted redacted redacted</div><div>acl bump_only_mac arp </div><div>acl bump_only_mac arp </div><div>acl bump_only_mac arp </div><div>acl bump_only_mac arp </div><div><br></div><div>ssl_bump peek step1</div><div>miss_access deny no_miss active_use</div><div>ssl_bump splice https_login active_use</div><div>ssl_bump splice splice_only_mac splice_only active_use</div><div>ssl_bump splice NoBumpDNS active_use</div><div>ssl_bump splice NoSSLIntercept active_use</div><div>ssl_bump bump bump_only_mac bump_only active_use</div><div>acl activated note active_use true</div><div>ssl_bump terminate !activated</div><div><br></div><div>acl markedBumped note bumped true</div><div>url_rewrite_access deny markedBumped</div><div><br></div><div>#workers 3</div><div>read_ahead_gap 32 KB</div><div>#negative_ttl 1 second</div><div>#connect_timeout 30 seconds</div><div>#request_timeout 60 seconds</div><div>#half_closed_clients off</div><div>#shutdown_lifetime 10 seconds</div><div>#negative_dns_ttl 1 seconds</div><div>#ignore_unknown_nameservers on</div><div>#client_persistent_connections off</div><div>#server_persistent_connections off</div><div>#pipeline_prefetch 100</div><div><br></div><div>#acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"</div><div>#ssl_bump bump SSLIntercept</div><div><br></div><div># Setup allowed ACLs</div><div># Allow local network(s) on interface(s)</div><div>http_access allow localnet</div><div># Default block all to be sure</div><div>http_access deny allsrc</div><div><br></div><div>icap_enable on</div><div>icap_send_client_ip on</div><div>icap_send_client_username on</div><div>icap_client_username_encode off</div><div>icap_client_username_header X-Authenticated-User</div><div>icap_preview_enable on</div><div>icap_preview_size 1024</div><div><br></div><div>icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off</div><div>adaptation_access service_avi_req allow all</div><div>icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on</div><div>adaptation_access service_avi_resp allow all</div></div><div><br></div><div><br></div><div>I see nothing with that derivative I also added my firewalls cert a bit ago as an extra cert but it had no affect on the errors..</div><div><br></div><div>So would I use this directive like this</div><div><br></div><div><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Courier; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; color: rgb(23, 23, 23);"><span style="font-kerning: none; background-color: #ffffff"> sslproxy_cert_sign signTrusted </span><span style="font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; font-kerning: none; color: rgb(0, 0, 0);">bump_only_mac</span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Courier; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; color: rgb(23, 23, 23);"><span style="font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; font-kerning: none; color: rgb(0, 0, 0);"><br></span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Courier; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; color: rgb(23, 23, 23);"><span style="font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; font-kerning: none; color: rgb(0, 0, 0);">with bump only mac as my ACL? the reference does not really show a good example of use it explains it well </span></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Courier; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; color: rgb(23, 23, 23);"><span style="font-style: normal; font-variant-caps: normal; font-stretch: normal; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; font-kerning: none; color: rgb(0, 0, 0);"><br></span></p><pre style="font-family: courier; padding: 15px; caret-color: rgb(30, 30, 30); color: rgb(30, 30, 30); font-size: 12px;"> sslproxy_cert_sign <signing algorithm> acl ...
The following certificate signing algorithms are supported:
signTrusted
Sign using the configured CA certificate which is usually
placed in and trusted by end-user browsers. This is the
default for trusted origin server certificates.
signUntrusted
Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
This is the default for untrusted origin server certificates
that are not self-signed (see ssl::certUntrusted).
signSelf
Sign using a self-signed certificate with the right CN to
generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
browser. This is the default for self-signed origin server
certificates (see ssl::certSelfSigned).
This clause only supports fast acl types.
When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
signing algorithm to generate the certificate and ignores all
subsequent sslproxy_cert_sign options (the first match wins). If no
acl(s) match, the default signing algorithm is determined by errors
detected when obtaining and validating the origin server certificate.
WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
CONNECT request that carries a domain name. In all other cases (CONNECT
to an IP address or an intercepted SSL connection), Squid cannot detect
the domain mismatch at certificate generation time when
bump-server-first is used.
</pre><p style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Courier; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; color: rgb(23, 23, 23);"><span style="font-stretch: normal; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal; font-kerning: none; color: rgb(0, 0, 0);"><br class="Apple-interchange-newline"></span></p></div><div><br></div><div><br></div><div><br><blockquote type="cite"><div>On Jul 4, 2024, at 09:56, Alex Rousskov <rousskov@measurement-factory.com> wrote:</div><br class="Apple-interchange-newline"><div><div>On 2024-07-04 12:11, Jonathan Lee wrote:<br><blockquote type="cite">failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128<br>SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417<br></blockquote><br>A000417 is an "unknown CA" alert sent by client to Squid while the client is trying to establish a TLS connection to/through Squid. The client does not trust the Certificate Authority that signed the certificate that was used for that TLS connection.<br><br>As the next step in triage, I recommend determining what that CA is in these cases (e.g., by capturing raw TLS packets and matching them with connection information from A000417 error messages in cache.log or %err_detail in access.log).<br><br>If you use SslBump for port 3128 traffic, then one of the possibilities here is that Squid is using an unknown-to-client CA to report an origin server that Squid itself does not trust (see signUntrusted in squid.conf.documented). In those cases, logging a level-1 ERROR is a Squid bug because that expected/desirable outcome should be treated as success (and a successful TLS accept treated as an error!).<br><br><br>HTH,<br><br>Alex.<br>P.S. For free Squid support, please keep the discussion on the mailing list.<br><br><br><blockquote type="cite">Is my main concern however I use the squid guard URL blocker<br>Sent from my iPhone<br><blockquote type="cite">On Jul 4, 2024, at 07:41, Alex Rousskov <rousskov@measurement-factory.com> wrote:<br><br>On 2024-07-03 13:56, Jonathan Lee wrote:<br><blockquote type="cite">Hello fellow Squid users does anyone know how to fix this issue?<br></blockquote><br>I counted about eight different "issues" in your cache.log sample. Most of them are probably independent. I recommend that you explicitly pick _one_, search mailing list archives for previous discussions about it, and then provide as many details about it as you can (e.g., what traffic causes it and/or matching access.log records).<br><br><br>HTH,<br><br>Alex.<br><br><br><blockquote type="cite">Squid - Cache Logs<br>Date-Time Message<br>31.12.1969 16:00:00<br>03.07.2024 10:54:34 kick abandoning conn7853 local=192.168.1.1:3128 remote=192.168.1.5:49710 FD 89 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:54:29 kick abandoning conn7844 local=192.168.1.1:3128 remote=192.168.1.5:49702 FD 81 flags=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7648 local=192.168.1.1:3128 remote=192.168.1.5:49672 FD 44 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7647 local=192.168.1.1:3128 remote=192.168.1.5:49670 FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:54:09 ERROR: failure while accepting a TLS connection on conn7646 local=192.168.1.1:3128 remote=192.168.1.5:49668 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:53:04 ERROR: failure while accepting a TLS connection on conn7367 local=192.168.1.1:3128 remote=192.168.1.5:49627 FD 22 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:52:47 ERROR: failure while accepting a TLS connection on conn7345 local=192.168.1.1:3128 remote=192.168.1.5:49618 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:52:38 ERROR: failure while accepting a TLS connection on conn7340 local=192.168.1.1:3128 remote=192.168.1.5:49616 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:52:34 ERROR: failure while accepting a TLS connection on conn7316 local=192.168.1.1:3128 remote=192.168.1.5:49609 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:51:55 WARNING: Error Pages Missing Language: en-us<br>31.12.1969 16:00:00<br>03.07.2024 10:51:55 ERROR: loading file 9;/usr/local/etc/squid/errors/en-us/ERR_ZERO_SIZE_OBJECT': (2) No such file or directory<br>03.07.2024 10:51:44 ERROR: failure while accepting a TLS connection on conn7102 local=192.168.1.1:3128 remote=192.168.1.5:49574 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:51:28 ERROR: failure while accepting a TLS connection on conn7071 local=192.168.1.1:3128 remote=192.168.1.5:49568 FD 92 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:50:29 ERROR: failure while accepting a TLS connection on conn6944 local=192.168.1.1:3128 remote=192.168.1.5:49534 FD 101 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:49:54 ERROR: failure while accepting a TLS connection on conn6866 local=192.168.1.1:3128 remote=192.168.1.5:49519 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:49:38 ERROR: failure while accepting a TLS connection on conn6809 local=192.168.1.1:3128 remote=192.168.1.5:49503 FD 31 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:49:32 ERROR: system call failure while accepting a TLS connection on conn6794 local=192.168.1.1:3128 remote=192.168.1.5:49496 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=54<br>03.07.2024 10:49:24 ERROR: failure while accepting a TLS connection on conn6776 local=192.168.1.1:3128 remote=192.168.1.5:49481 FD 137 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:49 ERROR: failure while accepting a TLS connection on conn6440 local=192.168.1.1:3128 remote=192.168.1.5:49424 FD 16 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:49 ERROR: failure while accepting a TLS connection on conn6445 local=192.168.1.1:3128 remote=192.168.1.5:49426 FD 34 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:22 ERROR: failure while accepting a TLS connection on conn6035 local=192.168.1.1:3128 remote=192.168.1.5:49355 FD 226 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5887 local=192.168.1.1:3128 remote=192.168.1.5:49318 FD 33 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5875 local=192.168.1.1:3128 remote=192.168.1.5:49312 FD 216 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:48:09 ERROR: failure while accepting a TLS connection on conn5876 local=192.168.1.1:3128 remote=192.168.1.5:49314 FD 217 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:47:57 ERROR: failure while accepting a TLS connection on conn5815 local=192.168.1.1:3128 remote=192.168.1.5:49297 FD 201 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:54 ERROR: failure while accepting a TLS connection on conn5760 local=192.168.1.1:3128 remote=192.168.1.5:49289 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:52 ERROR: failure while accepting a TLS connection on conn5717 local=192.168.1.1:3128 remote=192.168.1.5:49284 FD 195 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:47:50 ERROR: failure while accepting a TLS connection on conn5552 local=192.168.1.1:3128 remote=192.168.1.5:49268 FD 142 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:34 kick abandoning conn5254 local=192.168.1.1:3128 remote=192.168.1.5:49209 FD 100 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:21 kick abandoning conn5022 local=192.168.1.1:3128 remote=192.168.1.5:49167 FD 37 flags=1<br>31.12.1969 16:00:00<br>03.07.2024 10:47:21 kick abandoning conn5020 local=192.168.1.1:3128 remote=192.168.1.5:49165 FD 36 flags=1<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>03.07.2024 10:42:22 WARNING: Forwarding loop detected for:<br>03.07.2024 10:40:08 ERROR: failure while accepting a TLS connection on conn4955 local=192.168.1.1:3128 remote=192.168.1.5:52339 FD 98 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>31.12.1969 16:00:00<br>03.07.2024 10:39:52 kick abandoning conn4927 local=192.168.1.1:3128 remote=192.168.1.5:52331 FD 105 flags=1<br>03.07.2024 10:39:09 ERROR: failure while accepting a TLS connection on conn4846 local=192.168.1.1:3128 remote=192.168.1.5:52314 FD 19 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:38:14 ERROR: failure while accepting a TLS connection on conn4650 local=192.168.1.1:3128 remote=192.168.1.5:52274 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1<br>03.07.2024 10:38:08 ERROR: failure while accepting a TLS connection on conn4645 local=192.168.1.1:3128 remote=192.168.1.5:52272 FD 35 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR=1<br>03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_ECDH_USE<br>03.07.2024 10:38:04 ERROR: Unsupported TLS option SINGLE_DH_USE<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>31.12.1969 16:00:00<br>_______________________________________________<br>squid-users mailing list<br>squid-users@lists.squid-cache.org<br>https://lists.squid-cache.org/listinfo/squid-users<br></blockquote><br></blockquote></blockquote><br></div></div></blockquote></div><br></div></body></html>