[squid-users] Transparent Squidding Teething Issues

Olly Lennox oliver at lennox-it.uk
Mon Apr 24 16:50:40 UTC 2017 

Hi All,

First week testing the transparent squid proxy on the Raspberry Pi is going well so far but I've hit a few snags that I was hoping someone might be able to advise on. My current (SSL) config is:


------------------------http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

http_port 3130

http_port 3128 intercept 
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem

acl nobumpserver ssl::server_name src "/etc/squid/nobump"
acl step1 at_step SslBump1

ssl_bump peek nobumpserver
ssl_bump splice nobumpserver

ssl_bump stare step1 !nobumpserver
ssl_bump bump !nobumpserver

sslproxy_cafile /etc/squid/ssl_cert/ca-bundle.crt

sslproxy_session_cache_size 0
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

I've also disabled caching for now since the little pi wasn't quite coping with it (I think the flash memory cards they use are a bit slow) and overall internet performance was suffering.

-----------------------

My questions are:

1. Are there any techniques / acls to handle streaming content? Ideally I'd like all streaming content to be spliced not bumped

2. There seems to be a problem with sending larger content over bumped HTTPS (receiving is fine). For example WhatsApp and Snapchat receive messages and rich content fine and you can send messages fine but trying to send rich content like video or images fails with connection errors.

3. Skype doesn't seem to work unless you specify explicit proxy settings in the config (point it at the proxy server / 3130 port). Is this to be expected or could it be fixed in the config?

4. Sorry I know this is probably in the wiki but is there an acl for source (client) address? For devices like Smart TV where it is difficult to install the certificate it would be useful to set these to always splice 

Thanks very much!

Olly
 
oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252

More information about the squid-users mailing list