[squid-users] Config audit for 3.5.3

James Lay jlay at slave-tothe-box.net
Fri Apr 24 12:50:46 UTC 2015 

Hey all.

Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to
see if there's anything glaring that I'm missing/have misconfigured.  My
setup is squid is running on a router, one nic external, one nic
internal.  This is running as a transparent proxy with iptables doing a
redirect to ports 3128 and 3129.  Config below:

#############################################################
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 443		# https

acl CONNECT method CONNECT
acl broken_sites dst 96.16.0.0/15
<others redacted>
acl broken_sites dst 54.160.0.0/12
acl allowed_sites url_regex "/opt/etc/squid/url.txt"
acl all_others dst all
acl SSL method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager

http_access allow allowed_sites
http_access allow broken_sites

http_access deny all_others 
http_access allow localnet
http_access allow localhost

http_access deny all
icp_access deny all


sslproxy_cert_error allow broken_sites
sslproxy_cert_error deny all

sslproxy_options ALL
acl p3129 myportname 3129
acl step1 at_step SslBump1
ssl_bump peek step1
#ssl_bump splice broken_sites
ssl_bump bump p3129


http_port 192.168.1.253:3128 intercept 
https_port 192.168.1.253:3129 intercept ssl-bump
cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

always_direct allow all

logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
Sh %ssl::>cert_subject

access_log syslog:daemon.info common

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (cgi-bin|\?)	0	0%	0
refresh_pattern .		0	20%	4320

icp_port 3130

coredump_dir /opt/var
#############################################################

My goal has been to at least get the domain logged on any https access,
but alas some sites show:

Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - -
[24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200
401 TCP_TUNNEL:ORIGINAL_DST -

Thanks for the look see...trying to keep current.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150424/9f64c8fe/attachment.html>

More information about the squid-users mailing list