[squid-users] youtube restriction.

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 10 05:44:20 UTC 2019


On 8/04/19 9:34 pm, Antony Stone wrote:
> Hi.
> 
> I'm replying in the original thread, to keep this conversation together in the 
> archives etc.
> 
> On Monday 08 April 2019 at 11:15:00, Wegner Michaël wrote:
> 
>> Hi Antony,
>>
>> The video is Ok, if i not used squid v3.5.
> 
> So, it's not Youtube blocking that particualr video in your country etc.
> 
>> If on the squid.conf file I disabled rediretion on squidgaurd the problem
>> is the same.
> 
> Okay, we can disregard SquidGuard as being the problem, then.
> 
>> If squid is actived, somme videos are blocked, (the videos in
>> restricted mode)
> 
> That tells us it's your Squid configuration which is causing the problem.
> 
>> With a old version of squid (2.6) there are no problems
> 
> There are a *lot* of differences between Squid 2.6 and 3.5, especially for 
> HTTPS.  You *have* made suitable adjustments to the configuration file, I hope?
> 
> 
> Antony.
> 

> -----Message d'origine-----
> De : Wegner Michaël
> Envoyé : lundi 8 avril 2019 11:15
> 
> Hi Antony,
> 
> The video is Ok, if i not used squid v3.5.
> If on the squid.conf file I disabled rediretion on squidgaurd the problem is the same.
> If squid is actived, somme videos are blocked, (the videos in restricted mode) With a old version of squid (2.6) there are no problems
> 
> Regards,
> 
> Hi,
> 
> I install a new serveur squid version 4.6 without squiguard and access allow all.
> I set the ssl and i import certificate on the client but without success.
> 
> My squid.conf is : 
> 
...
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> include /etc/squid/conf.d/*

Do you have any config files in that directory? if so please post their
content too.

> 
> #http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> #http_access deny all
> http_access allow all
> 

Allowing anyone to send traffic through your proxy without limitation is
*not* a good idea. Now that you confirmed it makes no difference, please
remove again to avoid it adding complications.

If an error was showing up before to make you think this was a
possibility, we will need to see that message please.


> 
> http_port 3128 ssl-bump cert=/opt/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /opt/squid/log/squid/ssl_db -M 4MB
> coredump_dir /opt/squid/var/cache/squid
> cache_dir ufs /opt/squid/var/cache/squid 1000 16 256 # 1GB as Cache
> 

So you have "ssl-bump" and related settings on the port. This means that
Squid will attempt to decrypt the TLS/SSL traffic arriving in that ports
CONNECT requests.

However, there is no sign of any ssl_bump access controls. Which means
your Squid will *not* do the decryption. This config should act exactly
as if you had not specified ssl-bump at all. The TLS/SSL inside a
CONNECT tunnel is between the client and origin server directly -
exactly as if the proxy was not there.



PS. One thing to be aware of though is that YouTube being a Google
property is pushing use of newer protocols like HTTP/2, HTTP/3 and QUIC.
You may find that the traffic is not going over TCP at all or being
detected as an unsupported protocol.
 That latter would produce error responses - Squid-4 has
<http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to work
around that.


Amos


More information about the squid-users mailing list