[squid-users] Transparent squid configuration problem.

Rodrigo Cunha rodrigo.root.rj at gmail.com
Thu Aug 23 18:40:49 UTC 2018 

Squid not work with transparent proxy in https, that request is processed
directily in your browser for security pollices.Setup your browser with
proxy and test, transparent for https not work.Only requests to http
websites.

If a server process requests https betwen client and server, that server is
a "man in the meadle",that  is problem of security for customers in your
network.

Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович <
a.zubarev at generium.ru> escreveu:

> Thank you, Louis!
>
> Is there some workaround? May be I can to put that’s kind of sites without
> filtering?
>
>
>
> *From:* squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *L.P.H. van Belle
> *Sent:* Thursday, August 23, 2018 4:38 PM
> *To:* squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Transparent squid configuration problem.
>
>
>
> i noticed the following :    dig caa habr.com
> ;; ANSWER SECTION:
> habr.com.               3600    IN      CAA     0 iodef "
> mailto:iodef at habr.com <iodef at habr.com>"
> habr.com.               3600    IN      CAA     0 issue "comodoca.com"
>
> So you cant bump this site, its protecting its certificates with a
> CAA/DANE dns record.
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> *Van:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org
> <squid-users-bounces at lists.squid-cache.org>] *Namens *??????? ?????????
> ?????????????
> *Verzonden:* donderdag 23 augustus 2018 15:22
> *Aan:* squid-users at lists.squid-cache.org
> *Onderwerp:* [squid-users] Transparent squid configuration problem.
>
> Hi! I have some problems with configuration of squid.
>
>
>
> What I need:
>
> http/https transparent proxy server based on Debian Stretch with some
> blacklisted and whitelisted domains
>
>
>
> I’ve used many tutorials and squid.wiki through installation process and
> it almost work! But I have the last problem.
>
>
>
> When I tried to connect to some websites like a https://habr.com I have
>  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped
> me. I know the answer is simple and its here but cannt find it by myself.
>
>
>
> Here is my squid.conf, cache.log, access.log and iptables script.
>
>
>
> Please help! J
>
>
>
> Squid.conf:
>
>
>
> dns_v4_first on
>
>
>
> acl network src 10.84.0.0/16
>
>
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80        # http
>
> acl Safe_ports port 21        # ftp
>
> acl Safe_ports port 443        # https
>
> acl Safe_ports port 70        # gopher
>
> acl Safe_ports port 210        # wais
>
> acl Safe_ports port 1025-65535    # unregistered ports
>
> acl Safe_ports port 280        # http-mgmt
>
> acl Safe_ports port 488        # gss-http
>
> acl Safe_ports port 591        # filemaker
>
> acl Safe_ports port 777        # multiling http
>
> acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of
> blocked websites here
>
> acl CONNECT method CONNECT
>
>
>
> http_access deny blacklist
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
>
>
> http_access allow all
>
>
>
> http_port 3130
>
>
>
> http_port 3128 intercept
>
> https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem
> key=/etc/squid/ssl_cert/vproxy2.pem
>
>
>
> #always_direct allow all
>
> ssl_bump server-first all
>
> #sslproxy_cert_error deny all
>
> #sslproxy_flags DONT_VERIFY_PEER
>
>
>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> sslcrtd_children 8 startup=1 idle=1
>
>
>
> coredump_dir /var/spool/squid
>
>
>
> # Add any of your own refresh_pattern entries above these.
>
> refresh_pattern ^ftp:        1440    20%    10080
>
> refresh_pattern ^gopher:    1440    0%    1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>
> refresh_pattern .        0    20%    4320
>
>
>
> shutdown_lifetime 1 second
>
>
>
> cache.log:
>
>
>
> Maximum Resident Size: 123312 KB
>
> Page faults with physical i/o: 7
>
> 2018/08/23 16:19:27 kid1| Logfile: closing log
> daemon:/var/log/squid/access.log
>
> 2018/08/23 16:19:27 kid1| Logfile Daemon: closing log
> daemon:/var/log/squid/access.log
>
> 2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6
>
> 2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4
>
> 2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent
>
> 2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.
>
> 2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid
>
> 2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for
> x86_64-pc-linux-gnu...
>
> 2018/08/23 16:19:32 kid1| Service Name: squid
>
> 2018/08/23 16:19:32 kid1| Process ID 1209
>
> 2018/08/23 16:19:32 kid1| Process Roles: worker
>
> 2018/08/23 16:19:32 kid1| With 65535 file descriptors available
>
> 2018/08/23 16:19:32 kid1| Initializing IP Cache...
>
> 2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6
>
> 2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7
>
> 2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf
>
> 2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from
> /etc/resolv.conf
>
> 2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from
> /etc/resolv.conf
>
> 2018/08/23 16:19:32 kid1| Logfile: opening log
> daemon:/var/log/squid/access.log
>
> 2018/08/23 16:19:32 kid1| Logfile Daemon: opening log
> /var/log/squid/access.log
>
> 2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite
> every 3600/3600 sec
>
> 2018/08/23 16:19:32 kid1| Store logging disabled
>
> 2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
> objects
>
> 2018/08/23 16:19:32 kid1| Target number of buckets: 1008
>
> 2018/08/23 16:19:32 kid1| Using 8192 Store buckets
>
> 2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB
>
> 2018/08/23 16:19:32 kid1| Max Swap size: 0 KB
>
> 2018/08/23 16:19:32 kid1| Using Least Load store dir selection
>
> 2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid
>
> 2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.
>
> 2018/08/23 16:19:32 kid1| HTCP Disabled.
>
> 2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16
>
> 2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0
>
> 2018/08/23 16:19:32 kid1| Adaptation support is off.
>
> 2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at
> local=[::]:3130 remote=[::] FD 12 flags=9
>
> 2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket
> connections at local=[::]:3128 remote=[::] FD 13 flags=41
>
> 2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS
> Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41
>
> 2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...
>
> 2018/08/23 16:19:32| pinger: ICMP socket opened.
>
> 2018/08/23 16:19:32| pinger: ICMPv6 socket opened
>
> 2018/08/23 16:19:32| Pinger exiting.
>
> 2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects
>
>
>
> Accesslog:
>
>
>
> 1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/
> - ORIGINAL_DST/178.248.237.68 text/html
>
> 1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443
> - ORIGINAL_DST/52.4.157.193 -
>
> 1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443
> - ORIGINAL_DST/52.204.140.44 -
>
> 1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443
> - ORIGINAL_DST/52.204.140.44 -
>
> 1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST
> https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html
>
> 1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT
> 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -
>
> 1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT
> 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -
>
> 1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/
> - ORIGINAL_DST/178.248.237.68 text/html
>
>
>
> Уведомление о конфиденциальности: это электронное сообщение и любые
> документы, приложенные к нему, могут содержать конфиденциальную информацию.
> Настоящим уведомляем Вас о том, что если это сообщение не предназначено
> Вам, использование, копирование или распространение информации,
> содержащейся в настоящем сообщении, а также осуществление любых действий на
> основе этой информации строго запрещено. Если Вы получили это сообщение по
> ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и
> удалите это сообщение. Confidentiality notice: This e-mail transmission and
> any attachments included may contain confidential information. If you are
> not the intended recipient, you are hereby notified that any disclosure,
> copying, distribution, or reliance upon the content of this e-mail is
> strictly prohibited. If you have received this e-mail transmission in
> error, please notify sender by e-mail and then delete this message from
> your inbox.
>
> Уведомление о конфиденциальности: это электронное сообщение и любые
> документы, приложенные к нему, могут содержать конфиденциальную информацию.
> Настоящим уведомляем Вас о том, что если это сообщение не предназначено
> Вам, использование, копирование или распространение информации,
> содержащейся в настоящем сообщении, а также осуществление любых действий на
> основе этой информации строго запрещено. Если Вы получили это сообщение по
> ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и
> удалите это сообщение. Confidentiality notice: This e-mail transmission and
> any attachments included may contain confidential information. If you are
> not the intended recipient, you are hereby notified that any disclosure,
> copying, distribution, or reliance upon the content of this e-mail is
> strictly prohibited. If you have received this e-mail transmission in
> error, please notify sender by e-mail and then delete this message from
> your inbox.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180823/9090fe71/attachment-0001.html>

More information about the squid-users mailing list