[squid-users] bypassing the domains

Alex Rousskov rousskov at measurement-factory.com
Wed Feb 5 14:46:04 UTC 2025 

On 2025-02-05 05:54, udhayakumar wrote:

> if i put whitelist_regex in below config which domains i was try
> browse in browser it's says*SSL_ERROR_RX_RECORD_TOO_LONG*

IIRC, that usually happens when Squid responds with a plain text error 
page while the browser expects TLS. You may be able to confirm that by 
looking at the problematic browser-Squid transactions using wireshark or 
a similar packet analysis tool.


> ssl_bump peek step1
> ssl_bump splice sslwhitelist
> ssl_bump splice allowed_sites
 > ssl_bump bump all

Do you have http_access rules that allow TLS connections to sites 
matching sslwhitelist and allowed_sites ACLs? I do not see them. Please 
keep in mind that http_access controls access (for requests on all 
connections) while ssl_bump controls whether/when TLS connections are 
decrypted. Both sets of rules are important. For example, if http_access 
denies a request, then Squid will not splice the corresponding 
client-to-Squid and Squid-to-server connections.

Please also note that your second set of ssl_bump rules (not shown 
above) will never be reached because one of the ssl_bump rules shown 
above will always match, ending ssl_bump rule evaliation.


HTH,

Alex.


>> http_port 3128
>> http_port 3129 tproxy
>> https_port 3127 tproxy ssl-bump cert=/etc/squid_av/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:RC4:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS options=ALL:NO_SSLv3
>>
>> #don't verifying peer & allow accept with validate and error
>> #tls_outgoing_options flags=DONT_VERIFY_PEER
>> tls_outgoing_options flags=DONT_VERIFY_DOMAIN
>> tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>
>> icp_port 0
>> digest_generation off
>> error_default_language en
>> #logformat icap_squid %tl %>a %>p %<A %la %lp %<la %<lp %tr %dt
>> #icap_log /var/log/squid/access.log
>> #logformat customlog (%tl) source_ip=%>a src_port=%>p user=%ui [%tl] "%rm %ru HTTP/%rv" status=%>Hs size=%<st user_agent="%{User-Agent}>h"
>>
>>
>> cache_log /var/log/squid/cache.log
>> cache_store_log none
>> netdb_filename /var/squid/logs/netdb.state
>> pinger_enable off
>>
>> log_icp_queries off
>> logfile_rotate 1
>> # squid worker config optmize based on processor
>> workers 16
>> cpu_affinity_map process_numbers=1,2, cores=1,3
>> # certificate mimic
>> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB -b 2048
>> logfile_rotate 2
>> debug_options rotate=2
>> #proxy options
>> hosts_file /etc/hosts
>> fqdncache_size 6000
>> visible_hostname fatpipe_proxy
>> collapsed_forwarding on
>> forwarded_for transparent
>> via on
>> httpd_suppress_version_string on
>> uri_whitespace strip
>> shutdown_lifetime 3 seconds
>> url_rewrite_host_header on
>> #loggiing strop
>> strip_query_terms on
>> #cache option Amount RAM half
>> cache_mem 8096 MB
>> memory_cache_mode always
>> maximum_object_size_in_memory 256 KB
>> memory_replacement_policy heap GDSF
>> cache_replacement_policy heap LFUDA
>> minimum_object_size 0 KB
>> maximum_object_size 4 MB
>> #cache allocation disk store block by block it's helps disk i/o
>> cache_dir rock /var/spool/rockfs/squid_cache 20000 max-size=32768 max-swap-rate=250 swap-timeout=200
>> max_stale 1 week
>> on_unsupported_protocol tunnel
>>
>> offline_mode off
>> #cache low and high mark
>> cache_swap_low 90
>> cache_swap_high 96
>> cache allow all
>>
>> #pipelining for HTTP pipelining
>> pipeline_prefetch 6
>> acl SSL_ports port 443          #https
>> acl SSL_ports port 563          #https
>>
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>>
>> acl HTTP proto HTTP
>> acl HTTPS proto HTTPS
>>
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>>
>> #new tweak
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
>> acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
>> acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
>> acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
>> acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
>> acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
>> acl localnet src fc00::/7               # RFC 4193 local private network range
>> acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
>> acl allsrc src all
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> cl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain download.windowsupdate.com
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> acl windowsupdate dstdomain c.microsoft.com
>> acl windowsupdate dstdomainwww.download.windowsupdate.com
>> acl windowsupdate dstdomain wustat.windows.com
>> acl windowsupdate dstdomain crl.microsoft.com
>> acl windowsupdate dstdomain sls.microsoft.com
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>>
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomainwww.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>>
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow windowsupdate localnet
>>
>> #skip lan subnet
>> #acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> #sslproxy_cert_error allow localnet DomainMismatch
>> #sslproxy_cert_error deny all
>>
>> # Define a list of websites to skip the proxy
>> #acl sslwhitelist ssl::server_name_regex -i "/etc/squid_av/whitelist_regex.acl"
>> #acl allowed_sites ssl::server_name "/etc/squid_av/whitelist.acl"
>> #acl local-external dstdomain .google.com .icicibank.com
>> #always_direct allow local-external
>> #acl allowed_sites ssl::server_name .foo.com .hdfcbank.com .copilot.microsoft.com
>> #sslproxy_cert_error allow allowed_sites
>> host_verify_strict off
>>
>> ssl_bump peek step1
>> #ssl_bump splice sslwhitelist
>> #ssl_bump splice allowed_sites
>> ssl_bump bump all
>>
>> http_access allow manager localhost
>> http_access deny manager
>>
>> http_access allow purge localhost
>> http_access deny purge
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> http_access allow localnet
>> http_access allow localhost
>> #request header config
>> quick_abort_min 0 KB
>> quick_abort_max 0 KB
>> request_body_max_size 0 KB
>> #delay_pools config
>> delay_pools 1
>> delay_class 1 2
>> delay_parameters 1 -1/-1 -1/-1
>> delay_initial_bucket_level 100
>> # Throttle extensions matched in the url
>> #acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
>> #delay_access 1 allow throttle_exts
>> #delay_access 1 deny allsrc
>>
>> # Set YouTube safesearch restriction
>> #acl youtubedst dstdomain -nwww.youtube.com  m.youtube.com youtubei.googleapis.com youtube.googleapis.comwww.youtube-nocookie.com
>> #request_header_access YouTube-Restrict deny all
>> #request_header_add YouTube-Restrict moderate youtubedst
>> ssl_bump peek step1
>> ssl_bump bump all
>> # Allow local network(s) on interface(s)
>> http_access allow localnet
>>
>> # Default block all to be sure
>> http_access deny allsrc
>>
>>
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_encode off
>> icap_client_username_header X-Authenticated-User
>> icap_preview_enable on
>> icap_preview_size 1024
>>
>>
>> icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on
>> adaptation_access service_avi_req allow all
>> icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=off
>> adaptation_access service_avi_resp allow all
>>
>> #debug_options ALL,1
>> sslproxy_cert_error allow all
>> negative_ttl 0 seconds
>> negative_dns_ttl 1 second
>>
>> # Leave coredumps in the first cache dir
>> coredump_dir /var/log/dump/squid
>>
>>
>> /udhayakumar.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list