[squid-users] squid-users Digest, Vol 97, Issue 20

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 16 09:28:54 UTC 2022


On 13/09/22 00:39, Adiseshu Channasamudhram wrote:
> Hello Amos
> 
> Thank you for looking in to this. Below is the configuration ...
> 


FYI, below is advice for Squid-4+, if you have an older version then 
please upgrade ASAP. Current stable Squid is v5.7.


> 
> ###########################
> logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un 
> %Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h
> 

"squid" is the registered name for Squid native log format. Some Squid 
versions will silently use the built-in format instead of yours. Recent 
versions will complain about this.

Please use a custom name for custom formats:

   logformat nuance ...


> cache_access_log /var/log/squid/access.log  squid

This directive is called "access_log". Remove the "cache_" part.

   access_Log daemon:/var/log/squid/access.log logformat=nuance


> pid_filename /var/run/squid.pid
> 

This should not need configuring in any modern Squid.


> visible_hostname nuance-ak-client-test2
> 

The above should be a FQDN resolvable in DNS. It will be used in URLs 
presented to clients in error pages etc.


> acl Safe_ports port 80
> acl Safe_ports port 443
> acl SSL_ports port 443
> acl SSL method CONNECT
> acl CONNECT method CONNECT
> 
> cache deny all

To fully disable caching you should also add:
   cache_mem 0 KB


> dns_v4_first on

> http_port 443 tcpkeepalive=60,30,3 ssl-bump 

This may be your problem.

  - Port 443 is for encrypted TLS traffic.
  - "http_port" requires plain-text HTTP traffic. Encrypted TLS arriving 
here directly will guaranteed result in your log "error:invalid-request" 
entries.

A working configuration for port 443 would be:

   https_port 443 \
     tls-cert=/etc/squid/squidCA.pem \
     cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
     options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE \
     tls-dh=prime256v1:/etc/squid/bump_dhparam.pem \
     tcpkeepalive=60,30,3


FYI, NO_SSLv2 is no longer supported with latest Squid. All SSLv2 
related features are fully prohibited by default. Including these 
disable options.


> # Below, a.b.c.d is the backend IP
> cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest 
> originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem 
> sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev


FYI: DONT_VERIFY_PEER disables the 2-way security on these backend 
connections.

Please *actually* setup 2-way TLS validation. Like so:

  * Check that /etc/certs/abc.crt contains the *Client Certificate* 
Squid is supposed to send in 2-way TLS to this backend.

  * Check that /etc/certs/key.pem is the private key matching the 
content of /etc/certs/abc.crt.

  * Add the sslcafile= option with the specific PEM file containing the 
root CA which signed the Server Certificate of a.b.c.d.

  * Remove both sslcapath= and sslflags=DONT_VERIFY_PEER


FWIW, you could merge /etc/certs/abc.crt and /etc/certs/key.pem into one 
PEM file and load it with "sslcert=/etc/certs/squid.pem". In modern 
Squid that file can also contain any necessary chained CA intermediary 
certificates.


> acl dev myport 443
> acl dev myport 80
> acl dev myport 3129
> 

Use "myportname" ACL type instead.

   acl dev myportname 443 80 3129


FWIW, you have not shown any port 80 or 3129 settings. Without 
http(s)_port lines using those as names the values are pointless in this 
ACL.


> http_access allow all
> 

Your network description specified there is a "frontend" receiving 
traffic before relaying it to Squid. You should configure these 
http_access to deny traffic arriving without going through those 
frontend(s). The default squid.conf defines an ACL called "localnet" for 
things like this.


> cache_peer_access dev allow dev
> #cache_peer_access dev deny all

There are no rules specifying what to do with traffic that does not go 
through the peer. That means Squid will currently try to go directly to 
the Internet for all that.

Your network topology description specified that there was a backend 
receiving all traffic. To enforce that you need the following rule:

   never_direct allow all


> #URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
> sslcrtd_children 5
> ssl_bump server-first all

With the port 443 configuration fixed your Squid is no longer performing 
SSL-Bump. You can remove all these above settings.


> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

These settings should never be configured like this. All it does is hide 
log entries informing you about security issues. The issues themselves 
still occur.

You should remove them and resolve any issues that are then visible.
FWIW, once never_direct is used and the cache_peer is fixed these should 
not be necessary configuring at all.


HTH
Amos


More information about the squid-users mailing list