[squid-users] Establishing secure conection problems (Chrome)

William Ivanski william.ivanski at gmail.com
Thu Jun 2 13:35:10 UTC 2016


Thank you for your quick response.

First of all forgive me for the lack of information in the first
email. I've tried to disable QUIC a few minutes ago and the problem
persists. Follow the information requested:

-> Compilation:

I've installed squid using the following commands:

    cd /usr/src

    apt-get install squid3

    wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15-20160330-r14015.tar.gz

    tar xvzf squid-3.5.15-20160330-r14015.tar.gz

    cd squid-3.5.15-20160330-r14015

    apt-get build-dep squid3 && apt-get install build-essential libssl-dev

    ./configure --enable-icap-client --enable-ssl --enable-ssl-crtd
--prefix=/usr --includedir=/usr/include --mandir=/usr/share/man
--infodir=/usr/share/info --sysconfdir=/etc --localstatedir=/var
--libexecdir=/lib/squid3 --srcdir=. --datadir=/usr/share/squid3
--sysconfdir=/etc/squid3 --mandir=/usr/share/man
--with-default-user=squid --with- cppunit-config-basedir=/usr
--with-logdir=/var/log/squid3 --with-pidfile=/var/run/squid3.pid
--with-openssl --disable-optimizations --disable-arch-native

    service squid3 stop

    make all && make install

    useradd squid && chown -R squid:squid /var/log/squid3

    mv /usr/sbin/squid3 /usr/sbin/squid3.old && mv/usr/sbin/squid
/usr/sbin/squid3

    /lib/squid3/ssl_crtd -c -s /var/lib/ssl_db -M 4 MB

    chown -R squid:squid /var/lib/ssl_db

    service squid3 restart && service squid3 stop && chmod 777
/var/spool/squid3 && squid3 -z && service squid3 restart

OBS: We're not using ssl_crtd/ssl_db anymore. Our previous squid conf
was using intercept, but the actual one isn't configured as
transparent proxy.

-> Platform of the gateway:

Distributor ID: Debian

Description:    Debian GNU/Linux 8.4 (jessie)

Release:        8.4

Codename:       jessie

-> Squid:

Squid Cache: Version 3.5.15-20160324-r14011

Service Name: squid

configure options:  '--enable-icap-client' '--enable-ssl'
'--enable-ssl-crtd' '--prefix=/usr' '--includedir=/usr/include'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-default-user=squid' '--with-cppunit-config-basedir=/usr'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-openssl' '--disable-arch-native'

-> Squid.conf:

http_port 3128

visible_hostname gateway

cache_mgr william at planningservice.com.br

error_directory /usr/share/squid3/errors/Portuguese

access_log /var/log/squid3/access.log

hierarchy_stoplist cgi-bin ?

cache_mem 2048 MB

maximum_object_size_in_memory 100 MB

cache_dir ufs /var/spool/squid3 307200 16 256

maximum_object_size 4096 MB

minimum_object_size 0 MB

cache_swap_low 90

cache_swap_high 95

refresh_pattern ^ftp:             360   20%     2280

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .                 0     20%     2280

cache_log /var/log/squid3/cache.log

acl localhost src 127.0.0.1/32

acl localnet src 192.168.0.0/24

acl localnetd dst 192.168.0.0/24

acl manager proto cache_object

http_access allow manager localhost

http_access deny manager

acl purge method PURGE

http_access allow purge localhost

http_access deny purge

acl Safe_ports port 21

acl Safe_ports port 70

acl Safe_ports port 80

acl Safe_ports port 210

acl Safe_ports port 280

acl Safe_ports port 443

acl Safe_ports port 488

acl Safe_ports port 563

acl Safe_ports port 591

acl Safe_ports port 631

acl Safe_ports port 777

acl Safe_ports port 873

acl Safe_ports port 901

acl Safe_ports port 1025-65535

http_access deny !Safe_ports

acl SSL_ports port 443

acl SSL_ports port 563

acl SSL_ports port 873

acl connect method CONNECT

http_access deny connect !SSL_ports

acl FTP proto FTP

always_direct allow FTP

acl reqliberacaotmp src "/etc/firewall/ips_liberados_tmp.txt"

acl reqliberacaofixo src "/etc/firewall/ips_liberados_fixo.txt"

http_access allow reqliberacaotmp reqliberacaofixo

acl sitesliberadosfixo dstdom_regex -i "/etc/firewall/sites_liberados_fixo.txt"

acl sitesliberadostmp dstdom_regex -i "/etc/firewall/sites_liberados_tmp.txt"

acl almoco time MTWHF 11:50-13:30

acl manha time MTWHF 00:01-08:30

acl noite time MTWHF 18:00-23:59

http_access allow localhost sitesliberadosfixo

http_access allow localhost sitesliberadostmp

http_access allow localnet sitesliberadosfixo

http_access allow localnet sitesliberadostmp

http_access allow localhost almoco

http_access allow localnet almoco

http_access allow localhost manha

http_access allow localnet manha

http_access allow localhost noite

http_access allow localnet noite

http_access deny !sitesliberadosfixo !sitesliberadostmp
!reqliberacaotmp !reqliberacaofixo

http_access allow localhost

http_access allow localnet

http_access allow localnetd

http_access deny !localhost !localnet !localnetd

http_access deny all



I'll send access.log in next e-mail, otherwise message body will be too big.



William Ivanski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160602/22107335/attachment-0001.html>


More information about the squid-users mailing list