[squid-users] Unable to open youtube.com

Timur Lagutenko timur.lagutenko at gmail.com
Wed Oct 17 05:37:53 UTC 2018


I will try fresh installation of FreeBSD 11.2-RELEASE
And see how it works.
Maybe something was corrupted during upgrade.

Just FYI please look on my pf.conf and squid.conf:


*# cat /etc/pf.conf*
outif=re0                       #outer interface
inif=re1                        #iner interface
outip="(" $outif ")"            #outer ip
inip="(" $inif ")"              #iner ip
innw=$inif:network              #iner network
inbc=$inif:broadcast            #iner broadcast
bc="255.255.255.255"            #anycast

set skip on lo0
set block-policy drop
scrub in all

nat on $outif from $innw to any -> $outip
rdr on $inif proto {tcp,udp} from $innw to any port 123 -> $inip port 123

block log all

pass from $innw to $innw

# this is my machine client ip
# i have allowed full access form my PC
pass from 192.168.0.104 to any

# this 2 lines passes any traffic from gateway itself
pass from $outip to any
pass from $inip to any

# i don't know why but option "set skip on lo0" doesn't work
# so i additionally pass the whole traffic thru loopback interface
pass on lo0 from any to any


###########################################################################


*# cat /usr/local/etc/squid/squid.conf*
visible_hostname "Squid on freebsd"
acl localnet src 192.168.0.0/20 # RFC1918 possible internal network
shutdown_lifetime 5 seconds
access_log daemon:/var/log/squid/access.log squid

acl SSL_ports port 1-65535
acl Safe_ports port 1-65535
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet manager
http_access deny manager

http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#


acl baddom dstdomain ardownload.adobe.com agsupdate.adobe.com \
.microsoft.com .windowsupdates.com .oneclient.sfx.ms \
.windows.com .windowsupdate.com

acl bdx dstdom_regex -n -i porn

http_access deny bdx
http_access deny baddom

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 192.168.0.254:3128
# in future i have plans for 3129 port
# for now it simple listening additional port
http_port 192.168.0.254:3129

cache_dir ufs /var/squid/cache 10240 8 16
maximum_object_size 4096 MB
coredump_dir /var/squid/cache

quick_abort_min -1 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/) 0        0%      0
refresh_pattern .               0       20%     4320






ср, 17 окт. 2018 г. в 10:06, Amos Jeffries <squid3 at treenet.co.nz>:

> On 17/10/18 5:17 PM, Timur Lagutenko wrote:
> > i'm sure that the issue is not related to firewall rules.
> > because if I pass traffic from client IP (using NAT, browser is not
> > configured to use proxy) it works.
>
> Ah, you said earlier that you did not have SSL-Bump features enabled.
>
> How are you intercepting the port 443 HTTPS traffic with NAT and
> converting it to port 80 or 3128 syntax HTTP for Squid to handle?
>
> Squid cannot MITM the "raw" port 443 TLS without SSL-Bump being configured.
>
>
> Also since it is a Google service it may not be using TCP port 443 at
> all. It may actually be performing their QUIC protocol instead of HTTPS.
> That has to be blocked entirely to be sure the proxy is actually
> receiving all the relevant traffic.
>
>
>
> > I think it is related to some SSL/TLS lib in the system.
> > Because today i've tried CLI browser - links.
> > Launching it directly from gateway (which has direct access to web), i
> > was able to browse any site in text mode.
> > Except youtube.
> > So i guess it is related to some missing ssl lib.
> > Could you please suggest how can i find all required libs for my squid?
> >
>
> If Squid starts without crashing the libs it has been compiled to use
> are present on your machine.
>
> If you built it yourself on the same machine, it only uses library
> features that machine had at time of the build - so maybe a rebuild is
> needed to get access to newer library features.
>
> When it comes to TLS though the library itself is doing the config parse
> and setup for crypto things. So Squid does not particularly need to even
> be configured to use features the library enables by default. Which
> usually includes the current industry-standard ciphers etc.
>
>
> If Squid accepts your config file and does not produce an ERROR or FATAL
> message when you run "squid -k parse" all the libs required to run your
> config have been compiled in and loaded.
>
>
> > # squid -v
> > Squid Cache: Version 3.5.28
> > Service Name: squid
> >
> > This binary uses OpenSSL 1.0.2p  14 Aug 2018. For legal restrictions on
> > distribution see https://www.openssl.org/source/license.html
>
>
> Your problem may be TLS/1.3 related. OpenSSL 1.0.* only supports a max
> of TLS/1.2. Squid-3.5 also only supports OpenSSL 1.0.* library.
>
> AFAIK, Google are one of the organizations heavily pushing TLS changes
> and bias their services towards forcing the latest crypto whenever they
> can. It is strange that others have not reported issues en-mass, so this
> is somewhat unlikely.
>
>
> Other admin mentioning similar behaviour with YouTube have turned out to
> be TLS restrictions that pretty much prohibit the weaker crypto Google
> services still allow and only let the very advanced ones (not supported
> by their Squid) work.
>
> But also those restrictions were done via SSL-Bump configs. Since you
> don't use SSL-Bump it is unlikely to be the same - which leaves us only
> with the network/firewall level issues as known things to look at.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181017/dfb9c0f7/attachment.html>


More information about the squid-users mailing list