[squid-users] Squid Version 3.5.20

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 20 00:42:35 UTC 2017


pPS: please respond to the list, responding to people on-list directly 
and cc'ing the list makes the thread view and web forum view all screwed up.

Below is a free audit of your config lines. I suspect  know where your 
problem is, but will followup in the tread where Yuri is posting rather 
than this detatched side-posting.


On 20/07/17 05:36, Cherukuri, Naresh wrote:>
> *From:*Cherukuri, Naresh
> *Sent:* Wednesday, July 19, 2017 9:46 AM
> 
> Hi All,
> 
> I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA 
> certificates,  My users are complaining about certificate errors. When I 
> looked at cache.log I see so many error messages like below. Below is my 
> squid.conf file. Any ideas how to address below errors.
> 
> Squid.conf:
> 
> max_filedesc 4096
> 

The directive name should be max_filedescriptors.


> visible_hostname pctysqd2prod
> 

That directive should contain a FQDN, not just a host name.

> logfile_rotate 10
> 
> access_log stdio:/var/log/squid/access.log squid
> 

Above are default values, no need to configure in Squid-3+.

> acl localnet src 172.16.0.0/16
> 
> acl backoffice_users src 10.136.0.0/13
> 
> acl hcity_backoffice_users src 10.142.0.0/15
> 
> acl register_users src 10.128.0.0/13
> 
> acl hcity_register_users src 10.134.0.0/15
> 

If your localnet / LAN ranges are only 172.16/16 what are 10/8 addresses 
doing contacting your proxy?


> acl partycity url_regex partycity
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80          # http
> 
> #acl Safe_ports port 21         # ftp
> 
> acl Safe_ports port 443         # https
> 
> #acl Safe_ports port 70         # gopher
> 
> #acl Safe_ports port 210                # wais
> 
> #acl Safe_ports port 1025-65535 # unregistered ports
> 
> #acl Safe_ports port 280                # http-mgmt
> 
> #acl Safe_ports port 488                # gss-http
> 
> #acl Safe_ports port 591                # filemaker
> 
> #acl Safe_ports port 777                # multiling http
> 
> acl CONNECT method CONNECT
> 
> #acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
> 
> acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
> 
> acl hcity_backoffice_allowed_sites url_regex 
> "/etc/squid/backoffice_allowed_sites"
> 
> acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
> 
> acl hcity_backoffice_blocked_sites url_regex 
> "/etc/squid/backoffice_blocklist"
> 
> acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
> 
> acl hcity_register_allowed_sites url_regex 
> "/etc/squid/hcity_register_allowed_sites"

Hmm, the word "sites" in all these ACL names indicates that you are 
trying to match whole domains / websites - not just a few URLs within 
those sites that happen to match a regex.
  To match a domain use dstdomain, it is MUCH faster than regex.


> 
> http_access allow localnet register_allowed_sites
> 
> http_access deny backoffice_users backoffice_blocked_sites
> 
> http_access deny hcity_backoffice_users backoffice_blocked_sites
> 
> http_access allow backoffice_users backoffice_allowed_sites
> 
> http_access allow hcity_backoffice_users backoffice_allowed_sites
> 
> http_access allow register_users register_allowed_sites
> 
> http_access allow hcity_register_users hcity_register_allowed_sites
> 
> no_cache deny partycity

The directive name is "cache". Also...

Since Squid-3.5 if you actually want to prevent caching of those 
partycity URLs please use "store_miss deny partycity" instead.

If you want to *allow* the partycity URLs to cache, you need not 
configure cache / no_cache / store_miss.


> 
> http_access deny all
> 

Nothing below this lines will have any effect at all. Sadly you have 
move the most critical security controls down below here.


> #http_access allow manager localhost
> 
> #http_access deny manager
> 
> # Deny requests to certain unsafe ports
> 
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> 
> #http_access deny CONNECT !SSL_ports
> 
> http_access  allow CONNECT SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> 
> # web applications running on the proxy server who think the only
> 
> # one who can access services on "localhost" is a local user
> 
> http_access deny to_localhost
> 
> # Example rule allowing access from your local networks.
> 
> # Adapt localnet in the ACL section to list your (internal) IP networks
> 
> # from where browsing should be allowed
> 
> #http_access allow localnet
> 
> http_access allow localhost

All your http_access rules should be in here around the localnet and 
localhost allow lines. Then you can also remove the above "deny all" 
line and make the one below do what it is supposed to do.

> 
> # And finally deny all other access to this proxy
> 
> http_access deny all
> 
> # Squid normally listens to port 3128
> 
> http_port 3128 ssl-bump \
> 
> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
> 
> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
> 
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> 
> ssl_bump bump all
> 

Okay so TLS ClientHello gets peeked at, then everything gets bumped.

Fine, but be aware that any sites or client Apps using cert pinning (eg. 
chrome when contacting Google, mobile apps calling their home site, 
etc). will completely cease to work through your proxy.

Also, no ssl_bump lines below this one will do anything.


> sslproxy_cert_error allow all
> 
> always_direct allow all
> 
> sslproxy_flags DONT_VERIFY_PEER
> 

Please remove the above completely from your config. It is all based on 
temporary hacks from Squid-3.0 era or complete wrong misunderstanding 
about how TLS works.

You should expect that change to show *more* errors than you are seeing 
right now. Those are problems that do need fixing rather than just 
hiding from your logs (they still screw people over, just not logged).

You may find that you have to "sslproxy_cert_error allow" for some 
errors, but *ONLY* allow specific ones as needed - do not allow anything 
to happen silently like above does.


Cheers
Amos


More information about the squid-users mailing list