[squid-users] squid 3.5.4 and ssl-bump
Tony Peña
emperor.cu at gmail.com
Fri May 22 07:12:53 UTC 2015
Hi Amos...
ok now I upgrade recompile again everything from 3.4.8 to 3.5.4
this is the conf
root at debian-template:/usr/local/squid/sbin# ./squid -k parse
2015/05/22 03:08:17| Startup: Initializing Authentication Schemes ...
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'basic'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'digest'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'negotiate'
2015/05/22 03:08:17| Startup: Initialized Authentication Scheme 'ntlm'
2015/05/22 03:08:17| Startup: Initialized Authentication.
2015/05/22 03:08:17| Processing Configuration File: /etc/squid3/squid.conf
(depth 0)
2015/05/22 03:08:17| Processing: http_port 172.16.1.10:3128
2015/05/22 03:08:17| Processing: https_port 172.16.1.10:3129 intercept
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/ssl/myCA.pem cipher=ECDHE-RSA-RC4
-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
2015/05/22 03:08:17| Starting Authentication on port 172.16.1.10:3129
2015/05/22 03:08:17| Disabling Authentication on port 172.16.1.10:3129
(interception enabled)
2015/05/22 03:08:17| Processing: acl QUERY urlpath_regex cgi-bin \?
2015/05/22 03:08:17| Processing: no_cache deny QUERY
2015/05/22 03:08:17| Processing: access_log /var/log/squid3/access.log
squid
2015/05/22 03:08:17| Processing: coredump_dir /var/spool/squid3
2015/05/22 03:08:17| Processing: refresh_pattern ^ftp: 1440 20%
10080
2015/05/22 03:08:17| Processing: refresh_pattern ^gopher: 1440 0%
1440
2015/05/22 03:08:17| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2015/05/22 03:08:17| Processing: refresh_pattern . 0 20% 4320
2015/05/22 03:08:17| Processing: cache_dir aufs /var/spool/squid3 4096 16
256
2015/05/22 03:08:17| Processing: refresh_pattern -i
\.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
2015/05/22 03:08:17| Processing: acl SSL_ports port 25 # Protocols
2015/05/22 03:08:17| Processing: acl SSL_ports port 110 # to can
2015/05/22 03:08:17| Processing: acl SSL_ports port 143 # allow hit
2015/05/22 03:08:17| Processing: acl SSL_ports port 465 # gmail account
2015/05/22 03:08:17| Processing: acl SSL_ports port 587 # on the
2015/05/22 03:08:17| Processing: acl SSL_ports port 993 # internet
2015/05/22 03:08:17| Processing: acl SSL_ports port 995 # behind a
firewall
2015/05/22 03:08:17| Processing: acl SSL_ports port 443
2015/05/22 03:08:17| Processing: acl SSL_ports port 563
2015/05/22 03:08:17| Processing: acl Safe_ports port 80 # http
2015/05/22 03:08:17| Processing: acl Safe_ports port 21 # ftp
2015/05/22 03:08:17| Processing: acl Safe_ports port 443 # https
2015/05/22 03:08:17| Processing: acl Safe_ports port 70 # gopher
2015/05/22 03:08:17| Processing: acl Safe_ports port 210 # wais
2015/05/22 03:08:17| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2015/05/22 03:08:17| Processing: acl Safe_ports port 280 # http-mgmt
2015/05/22 03:08:17| Processing: acl Safe_ports port 488 # gss-http
2015/05/22 03:08:17| Processing: acl Safe_ports port 591 # filemaker
2015/05/22 03:08:17| Processing: acl Safe_ports port 777 # multiling
http
2015/05/22 03:08:17| Processing: acl CONNECT method CONNECT
2015/05/22 03:08:17| Processing: acl purge method PURGE
2015/05/22 03:08:17| Processing: acl network src 172.16.1.0/24
2015/05/22 03:08:17| Processing: cache_mem 64 MB
2015/05/22 03:08:17| Processing: http_access allow manager localhost
2015/05/22 03:08:17| Processing: http_access deny manager
2015/05/22 03:08:17| Processing: http_access deny !Safe_ports
2015/05/22 03:08:17| Processing: http_access deny CONNECT !SSL_ports
2015/05/22 03:08:17| Processing: http_access allow localhost
2015/05/22 03:08:17| Processing: http_access allow network CONNECT
2015/05/22 03:08:17| Processing: http_access deny all
2015/05/22 03:08:17| Processing: ssl_bump server-first all
2015/05/22 03:08:17| Processing: sslcrtd_program
/usr/local/squid/libexec/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
2015/05/22 03:08:17| Processing: sslproxy_version 3
2015/05/22 03:08:17| Processing: sslproxy_options ALL
2015/05/22 03:08:17| Processing: always_direct allow all
2015/05/22 03:08:17| Processing: never_direct allow all
2015/05/22 03:08:17| Processing: max_filedesc 16384
2015/05/22 03:08:17| Processing: dns_nameservers 8.8.8.8
2015/05/22 03:08:17| Processing: dns_nameservers 8.8.4.4
2015/05/22 03:08:17| Processing: positive_dns_ttl 8 hours
2015/05/22 03:08:17| Processing: negative_dns_ttl 30 seconds
2015/05/22 03:08:17| Initializing https proxy context
2015/05/22 03:08:17| Initializing https_port 172.16.1.10:3129 SSL context
2015/05/22 03:08:17| Using certificate in /etc/squid3/ssl/myCA.pem
and now the error is different.
can't see any site... http or https
and the logs said...
1432278470.317 0 172.16.1.20 TAG_NONE/400 388 HEAD
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.320 0 172.16.1.20 TAG_NONE/400 2223 GET
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.323 0 172.16.1.20 TAG_NONE/400 388 HEAD
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278470.327 0 172.16.1.20 TAG_NONE/400 2223 GET
/v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1505220707 - HIER_NONE/-
text/html
1432278472.729 0 172.16.1.20 TAG_NONE/400 2193 GET
/pki/crl/products/MicRooCerAut_2010-06-23.crl - HIER_NONE/- text/html
1432278477.871 0 172.16.1.20 TAG_NONE/400 2159 GET
/pki/crl/products/WinPCA.crl - HIER_NONE/- text/html
1432278482.222 0 172.16.1.20 TAG_NONE/400 2333 POST
/service/update2?cup2key=5:1028882439&cup2hreq=1beabeae3a9008aa500f171f3efd92cac82574e42989d76d9104766a07e2e021
- HIER_NONE/- text/html
1432278482.244 0 172.16.1.20 TAG_NONE/400 2333 POST
/service/update2?cup2key=5:3993259034&cup2hreq=1beabeae3a9008aa500f171f3efd92cac82574e42989d76d9104766a07e2e021
- HIER_NONE/- text/html
1432278483.049 0 172.16.1.20 TAG_NONE/400 2201 GET
/pki/crl/products/MicRooCerAut2011_2011_03_22.crl - HIER_NONE/- text/html
remember we need to check http normal use with acl syntaxs (that part is
ok, just need the config ok to can see the same using this ssl-bump for
example domains as facebook or similar)
thanxs
--
Antonio Peña
Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71 7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150522/6418d1fd/attachment.html>
More information about the squid-users
mailing list