[squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 7 13:34:14 UTC 2019


On 8/03/19 1:35 am, dkanejs wrote:
> Thanks for the reply and apologies my post didn't include the HTML fragments:
> 
> Configuration:
> 
> ./configure \
>     --enable-ssl \
>     --enable-ssl-crtd \
>     --with-openssl \
>     --disable-arch-native \
>     --prefix=/usr \
>     --localstatedir=/var \
>     --sysconfdir=/etc/squid \
>     --libexecdir=/usr/lib/squid \
>     --datadir=/usr/share/squid \
>     --with-default-user=proxy \
>     --with-logdir=/var/log/squid \
>     --with-pidfile=/var/run/squid.pid
> 
> Squid configuration:
> 
> visible_hostname squid
> http_port 3128
> acl whitelist dstdomain .example.com
> http_access allow whitelist

You are missing the default security protections against DoS and some
other attack types. Please leave those Safe_ports and SSL_ports access
lines and place your custom rules after them.


> https_port 3129 cert=/etc/squid/squid.pem
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET 
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> ssl-bump intercept

The NAT 'intercept' mode flag needs to be second, right after the port
number.

The 'ssl-bump' flag should go before the cert= option so the right types
of cert are loaded. Without this ordering Squid-4 cannot warn you about
cert type errors (if any).

The "NO_SSLv2" is invalid. As of Squid-4 all options relating to SSLv2
are no longer supported in any way.


> acl SSL_port port 443
> http_access allow SSL_port
> acl CONNECT method CONNECT

"CONNECT" ACL is now a built-in. You do not have to define it.

> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump peek step2 whitelist
> ssl_bump splice step3 whitelist
> ssl_bump terminate step2 all

The use of "all" ACL in the above lines does nothing but confuse people.

Please also be aware the 'whitelist' ACL will not match reliably in TLS
handshake because TLS does not have HTTP message URLs - thus no URL
domain name.

That means you should expect to see only terminated TLS handshakes with
this config. Anything actually being accepted and responded to would be
the anomaly.

I think what you are needing is probably this:

 ssl_bump peek all
 acl tls_whitelist ssl::server_name .example.com
 ssl_bump splice step3 tls_whitelist
 ssl_bump terminate all



Amos


More information about the squid-users mailing list