[squid-users] Working peek/splice no longer functioning on some sites
James Lay
jlay at slave-tothe-box.net
Fri Nov 24 19:32:21 UTC 2017
I should add this is squid-3.5.27. Thank you.
On Fri, 2017-11-24 at 12:30 -0700, James wrote:
> Topic says it...this setup has been working well for a long time, but
> now there are some sites that are failing the TLS handshake. Here's
> my setup:
>
> acl localnet src 192.168.1.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl CONNECT method CONNECT
> acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_Ports
> http_access allow SSL_ports
> http_access allow allowed_http_sites
> http_access deny all
>
>
> ssl_bump peek all
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump splice allowed_https_sites
> ssl_bump terminate all
>
> sslproxy_cert_error allow all
> sslproxy_capath /etc/ssl/certs
> sslproxy_flags DONT_VERIFY_PEER
> #sslproxy_options ALL
>
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump
> cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
> cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
> key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-
> certificates=on dynamic_cert_mem_cache_size=4MB
> sslflags=NO_SESSION_REUSE
>
>
> logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> %ssl::>cert_subject %>Hs %
>
> access_log syslog:daemon.info mine
>
> refresh_pattern -i (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> coredump_dir /opt/var
>
> For example, the file http_url.txt contains:
>
> account\.elderscrollsonline\.com
> \.elderscrollsonline\.com
> elderscrollsonline\.com
>
>
> After doing some reading it looks like this is http2 traffic: https:
> //wiki.squid-cache.org/Features/HTTP2.
>
> Is there anything I can do to continue using squid with more and more
> sites using http2? Pcap enclosed..thank you.
>
> James
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171124/b1b7facb/attachment-0001.html>
More information about the squid-users
mailing list