[squid-users] Squid 3.4.8 with ssl-bump config.
Tony Peña
emperor.cu at gmail.com
Thu May 21 09:50:28 UTC 2015
Hi again..
now work ok the compilation.. but have issues with the https sites.
squid start ok... but can't see the sites with https on the browser... i
make the certificate ... and put myCA.der on windows client
i test it with:
1- ssl-bump server-first all
2- ssl-bump client-first all
testing acl with and without...
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow TrustedName
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all
and nothing can't see https sites like mail.yahoo.com or facebook.com
the browser continue put out
ERROR SSL CONNECTION
ERR_SSL_PROTOCOL
i rebuild again many times /var/spool/squid_ssldb
and the logs continue saying...
1432201755.569 0 172.16.1.20 TAG_NONE/400 3640
Z%19%98%A50%D7%AD%19%AB%1E - HIER_NONE/- text/html
1432201756.077 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.078 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.085 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.090 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.094 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.381 1 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.383 1 172.16.1.20 TAG_NONE/400 3616
v%C9%F0O%C9%E6%BB%A1%D2 - HIER_NONE/- text/html
1432201756.391 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.395 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.399 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.662 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.663 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.670 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
1432201756.675 0 172.16.1.20 TAG_NONE/400 3672
%05%D5%846S/%60%E5&e@%60%D5=%CA%27%E5%E7
- HIER_NONE/- text/html
1432201756.680 0 172.16.1.20 TAG_NONE/400 4056 NONE
error:invalid-request - HIER_NONE/- text/html
here is my config
----------------------------------
# squid3 -k parse
2015/05/21 05:42:10| Startup: Initializing Authentication Schemes ...
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'basic'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'digest'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'negotiate'
2015/05/21 05:42:10| Startup: Initialized Authentication Scheme 'ntlm'
2015/05/21 05:42:10| Startup: Initialized Authentication.
2015/05/21 05:42:10| Processing Configuration File: /etc/squid3/squid.conf
(depth 0)
2015/05/21 05:42:10| Processing: http_port 172.16.1.10:3128 intercept
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/myCA.pem
2015/05/21 05:42:10| Starting Authentication on port 172.16.1.10:3128
2015/05/21 05:42:10| Disabling Authentication on port 172.16.1.10:3128
(interception enabled)
2015/05/21 05:42:10| Processing: hostname_aliases
debian-template.ctimegroup.local
2015/05/21 05:42:10| Processing: visible_hostname debian-template
2015/05/21 05:42:10| Processing: hierarchy_stoplist cgi-bin ?
2015/05/21 05:42:10| Processing: acl QUERY urlpath_regex cgi-bin \?
2015/05/21 05:42:10| Processing: no_cache deny QUERY
2015/05/21 05:42:10| Processing: cache_mem 1024 MB
2015/05/21 05:42:10| Processing: cache_replacement_policy heap LFUDA
2015/05/21 05:42:10| Processing: cache_dir aufs /var/spool/squid3 4096 16
256
2015/05/21 05:42:10| Processing: cache_log /var/log/squid3/cache.log
2015/05/21 05:42:10| Processing: cache_store_log none
2015/05/21 05:42:10| Processing: cache_effective_user proxy
2015/05/21 05:42:10| Processing: cache_effective_group proxy
2015/05/21 05:42:10| Processing: maximum_object_size 1024 KB
2015/05/21 05:42:10| Processing: prefer_direct on
2015/05/21 05:42:10| Processing: ftp_user anonymous at proxy.sld.cu
2015/05/21 05:42:10| Processing: negative_ttl 5 minutes
2015/05/21 05:42:10| Processing: positive_dns_ttl 6 hours
2015/05/21 05:42:10| Processing: negative_dns_ttl 5 minutes
2015/05/21 05:42:10| Processing: coredump_dir /var/spool/squid3
2015/05/21 05:42:10| Processing: shutdown_lifetime 3 seconds
2015/05/21 05:42:10| Processing: logfile_rotate 10
2015/05/21 05:42:10| Processing: access_log /var/log/squid3/access.log
squid
2015/05/21 05:42:10| Processing: half_closed_clients off
2015/05/21 05:42:10| Processing: strip_query_terms on
2015/05/21 05:42:10| Processing: refresh_pattern ^ftp: 1440 20%
10080
2015/05/21 05:42:10| Processing: refresh_pattern ^gopher: 1440 0%
1440
2015/05/21 05:42:10| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2015/05/21 05:42:10| Processing: refresh_pattern . 0 20% 4320
2015/05/21 05:42:10| Processing: refresh_pattern -i
\.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
2015/05/21 05:42:10| Processing: acl SSL_ports port 443 8443 12048 2083
2015/05/21 05:42:10| Processing: acl Safe_ports port 440-442 # http
2015/05/21 05:42:10| Processing: acl Safe_ports port 443
2015/05/21 05:42:10| Processing: acl Safe_ports port 80 # http
2015/05/21 05:42:10| Processing: acl Safe_ports port 21 # ftp
2015/05/21 05:42:10| Processing: acl Safe_ports port 443 # https,
snews
2015/05/21 05:42:10| Processing: acl Safe_ports port 1025-8081 #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 8082-9999 #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 10001-65535 #
unregistered ports
2015/05/21 05:42:10| Processing: acl Safe_ports port 280 #
http-mgmt
2015/05/21 05:42:10| Processing: acl CONNECT method CONNECT
2015/05/21 05:42:10| Processing: acl localhost src 192.168.207.51
172.16.1.10
2015/05/21 05:42:10| Processing: http_access allow localhost
2015/05/21 05:45:51| Processing: ssl_bump server-first all
2015/05/21 05:42:10| Processing: sslcrtd_program /usr/lib/squid3/ssl_crtd
-s /var/spool/squid3_ssldb -M 4MB
2015/05/21 05:42:10| Processing: sslcrtd_children 50 startup=1 idle=1
2015/05/21 05:42:10| Processing: acl TrustedName url_regex ^
https://www.facebook.com
2015/05/21 05:42:10| Processing: acl BadSite ssl_error
SQUID_X509_V_ERR_DOMAIN_MISMATCH
2015/05/21 05:42:10| Processing: sslproxy_cert_error allow TrustedName
2015/05/21 05:42:10| Processing: sslproxy_cert_error allow BadSite
2015/05/21 05:42:10| Processing: sslproxy_cert_error deny all
2015/05/21 05:42:10| Processing: acl network src 172.16.1.0/24
192.168.207.0/24
2015/05/21 05:42:10| Processing: http_access allow network
2015/05/21 05:42:10| Processing: acl purge method PURGE
2015/05/21 05:42:10| Processing: http_access deny !Safe_ports
2015/05/21 05:42:10| Processing: http_access deny CONNECT !SSL_ports
2015/05/21 05:42:10| Processing: http_access deny all
2015/05/21 05:42:10| Processing: always_direct allow all
2015/05/21 05:42:10| Processing: forward_max_tries 25
2015/05/21 05:42:10| Processing: never_direct allow all
2015/05/21 05:42:10| Processing: max_filedesc 16384
2015/05/21 05:42:10| Processing: dns_nameservers 8.8.8.8
2015/05/21 05:42:10| Processing: dns_nameservers 8.8.4.4
2015/05/21 05:42:10| Processing: positive_dns_ttl 8 hours
2015/05/21 05:42:10| Processing: negative_dns_ttl 30 seconds
2015/05/21 05:42:10| Initializing https proxy context
2015/05/21 05:42:10| Initializing http_port 172.16.1.10:3128 SSL context
2015/05/21 05:42:10| Using certificate in /etc/squid3/ssl/myCA.pem
any idea?
thanxs
--
Antonio Peña
Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150521/34e88c73/attachment-0001.html>
More information about the squid-users
mailing list