[squid-users] Squid Peek/Splice some issues

--Ahmad-- ahmed.zaeem at netstream.ps
Mon Jun 20 21:43:07 UTC 2016


Hi ,
i have squid that is working on 3.5 .
traffic of t 80 and 443 traffic to Squid via IPTables.

Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.

we have a problem in  Skype of Business (Office 365) and Slack (Chat app)  seems its broken from squid intercept.

current versions we have :
·       Squid 3.5.19

·       C-ICAP 0.4.2

·       SquidclamAV 6.15

·       ClamAV 0.99.2

=====================

      here is squid.conf :

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow localhost manager
http_access deny manager

# Squid normally listens to port 3128
http_port 3127
http_port 3128 intercept


coredump_dir /var/cache/squid

visible_hostname test1

cache_log /opt/var/log/squid/cache_log
cache_access_log /opt/var/log/squid/access_log


cache_effective_user squid
cache_effective_group squid

icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav <icap://127.0.0.1:1344/squidclamav>
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav <icap://127.0.0.1:1344/squidclamav>
adaptation_access service_resp allow all

acl test-header dstdomain	test.com <http://test.com/>
request_header_add X-TEST-GUID TEST test-header

#Custom Error Pages
error_directory /opt/www/squid

# Squid listen Port
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

# SSL Bump Config
always_direct allow all
ssl_bump server-first all 
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1


sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


cache_dir aufs /var/cache/squid 40000 16 256
store_dir_select_algorithm round-robin
minimum_object_size 0 KB
maximum_object_size 96 MB
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
cache_mem 1500 MB
buffered_logs on
half_closed_clients off
dns_nameservers 10.192.0.1
=======================================================


i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .


thank you 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/5c6dbe5a/attachment-0001.html>


More information about the squid-users mailing list