[squid-users] Squid Peek/Splice some issues
--Ahmad--
ahmed.zaeem at netstream.ps
Mon Jun 20 21:43:07 UTC 2016
Hi ,
i have squid that is working on 3.5 .
traffic of t 80 and 443 traffic to Squid via IPTables.
Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.
we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept.
current versions we have :
· Squid 3.5.19
· C-ICAP 0.4.2
· SquidclamAV 6.15
· ClamAV 0.99.2
=====================
here is squid.conf :
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow localhost manager
http_access deny manager
# Squid normally listens to port 3128
http_port 3127
http_port 3128 intercept
coredump_dir /var/cache/squid
visible_hostname test1
cache_log /opt/var/log/squid/cache_log
cache_access_log /opt/var/log/squid/access_log
cache_effective_user squid
cache_effective_group squid
icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav <icap://127.0.0.1:1344/squidclamav>
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav <icap://127.0.0.1:1344/squidclamav>
adaptation_access service_resp allow all
acl test-header dstdomain test.com <http://test.com/>
request_header_add X-TEST-GUID TEST test-header
#Custom Error Pages
error_directory /opt/www/squid
# Squid listen Port
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
cache_dir aufs /var/cache/squid 40000 16 256
store_dir_select_algorithm round-robin
minimum_object_size 0 KB
maximum_object_size 96 MB
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
cache_mem 1500 MB
buffered_logs on
half_closed_clients off
dns_nameservers 10.192.0.1
=======================================================
i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .
thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/5c6dbe5a/attachment-0001.html>
More information about the squid-users
mailing list