Re: Squid Version 3.5.20

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Cherukuri, Naresh

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Squid.conf:

 

max_filedesc 4096

visible_hostname pctysqd2prod

logfile_rotate 10

 

access_log stdio:/var/log/squid/access.log squid

 

acl localnet src 172.16.0.0/16

acl backoffice_users src 10.136.0.0/13

acl hcity_backoffice_users src 10.142.0.0/15

acl register_users src 10.128.0.0/13

acl hcity_register_users src 10.134.0.0/15

acl partycity url_regex partycity

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"

acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"

acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

 

http_access allow localnet register_allowed_sites

http_access deny backoffice_users backoffice_blocked_sites

http_access deny hcity_backoffice_users backoffice_blocked_sites

http_access allow backoffice_users backoffice_allowed_sites

http_access allow hcity_backoffice_users backoffice_allowed_sites

http_access allow register_users register_allowed_sites

http_access allow hcity_register_users hcity_register_allowed_sites

no_cache deny partycity

http_access deny all

 

#http_access allow manager localhost

#http_access deny manager

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

http_access  allow CONNECT SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128 ssl-bump \

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

 

sslproxy_cert_error allow all

always_direct allow all

sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /cache/squid 10000 16 256

 

# Leave coredumps in the first cache dir

#rdescoredump_dir /var/spool/squid

coredump_dir /var/log/squid/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

#url_rewrite_access allow all

#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Cherukuri, Naresh

Walter,

 

Thanks for quick turner below is my squid.conf file and errors I seen in cache.log.

 

From: Cherukuri, Naresh
Sent: Wednesday, July 19, 2017 9:46 AM
To: '[hidden email]'
Subject: RE: Squid Version 3.5.20

 

Hi All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA certificates,  My users are complaining about certificate errors. When I looked at cache.log I see so many error messages like below. Below is my squid.conf file. Any ideas how to address below errors.

 

Squid.conf:

 

max_filedesc 4096

visible_hostname pctysqd2prod

logfile_rotate 10

 

access_log stdio:/var/log/squid/access.log squid

 

acl localnet src 172.16.0.0/16

acl backoffice_users src 10.136.0.0/13

acl hcity_backoffice_users src 10.142.0.0/15

acl register_users src 10.128.0.0/13

acl hcity_register_users src 10.134.0.0/15

acl partycity url_regex partycity

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

#acl Safe_ports port 21         # ftp

acl Safe_ports port 443         # https

#acl Safe_ports port 70         # gopher

#acl Safe_ports port 210                # wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280                # http-mgmt

#acl Safe_ports port 488                # gss-http

#acl Safe_ports port 591                # filemaker

#acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT

#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"

acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl hcity_backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"

acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl hcity_backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"

acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"

acl hcity_register_allowed_sites url_regex "/etc/squid/hcity_register_allowed_sites"

 

http_access allow localnet register_allowed_sites

http_access deny backoffice_users backoffice_blocked_sites

http_access deny hcity_backoffice_users backoffice_blocked_sites

http_access allow backoffice_users backoffice_allowed_sites

http_access allow hcity_backoffice_users backoffice_allowed_sites

http_access allow register_users register_allowed_sites

http_access allow hcity_register_users hcity_register_allowed_sites

no_cache deny partycity

http_access deny all

 

#http_access allow manager localhost

#http_access deny manager

 

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports

http_access  allow CONNECT SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# Squid normally listens to port 3128

http_port 3128 ssl-bump \

key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \

cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \

generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

 

sslproxy_cert_error allow all

always_direct allow all

sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

 

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /cache/squid 10000 16 256

 

# Leave coredumps in the first cache dir

#rdescoredump_dir /var/spool/squid

coredump_dir /var/log/squid/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

#url_rewrite_access allow all

#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

 

Cache.log

 

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)

2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown (1/0)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Eliezer Croitoru
In reply to this post by Cherukuri, Naresh
Hey,

I have not published the RHEL packages on the squid-cache wiki at:
http://wiki.squid-cache.org/KnowledgeBase/RedHat

And will try to add the details there in the next days.
You can try to use the RHEL which is similar to the centos and on the same
server which is mentioned in this page:
http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid-3.5

But replace the centos with rhel ie:
baseurl=http://www1.ngtech.co.il/repo/rhel/$releasever/$basearch/

There is an up-to-date 3.5.26 package which you should try to use in any
case.
I don’t know why you encounter this issue but it is a good time to know that
there is an up-to-date squid rpm for RHEL 7.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On
Behalf Of Cherukuri, Naresh
Sent: Wednesday, July 19, 2017 16:46
To: [hidden email]
Subject: Re: [squid-users] Squid Version 3.5.20

Hi All,

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA
certificates,  My users are complaining about certificate errors. When I
looked at cache.log I see so many error messages like below. Below is my
squid.conf file. Any ideas how to address below errors.

Squid.conf:

max_filedesc 4096
visible_hostname pctysqd2prod
logfile_rotate 10

access_log stdio:/var/log/squid/access.log squid

acl localnet src 172.16.0.0/16
acl backoffice_users src 10.136.0.0/13
acl hcity_backoffice_users src 10.142.0.0/15
acl register_users src 10.128.0.0/13
acl hcity_register_users src 10.134.0.0/15
acl partycity url_regex partycity

acl SSL_ports port 443
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443         # https
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210                # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280                # http-mgmt
#acl Safe_ports port 488                # gss-http
#acl Safe_ports port 591                # filemaker
#acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT
#acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
acl hcity_backoffice_allowed_sites url_regex
"/etc/squid/backoffice_allowed_sites"
acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
acl hcity_backoffice_blocked_sites url_regex
"/etc/squid/backoffice_blocklist"
acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
acl hcity_register_allowed_sites url_regex
"/etc/squid/hcity_register_allowed_sites"

http_access allow localnet register_allowed_sites
http_access deny backoffice_users backoffice_blocked_sites
http_access deny hcity_backoffice_users backoffice_blocked_sites
http_access allow backoffice_users backoffice_allowed_sites
http_access allow hcity_backoffice_users backoffice_allowed_sites
http_access allow register_users register_allowed_sites
http_access allow hcity_register_users hcity_register_allowed_sites
no_cache deny partycity
http_access deny all

#http_access allow manager localhost
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
http_access  allow CONNECT SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_cert_error allow all
always_direct allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /cache/squid 10000 16 256

# Leave coredumps in the first cache dir
#rdescoredump_dir /var/spool/squid
coredump_dir /var/log/squid/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#url_rewrite_access allow all
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

Cache.log

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 1114:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)
2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
(1/0)

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Amos Jeffries
Administrator
In reply to this post by Cherukuri, Naresh
pPS: please respond to the list, responding to people on-list directly
and cc'ing the list makes the thread view and web forum view all screwed up.

Below is a free audit of your config lines. I suspect  know where your
problem is, but will followup in the tread where Yuri is posting rather
than this detatched side-posting.


On 20/07/17 05:36, Cherukuri, Naresh wrote:>

> *From:*Cherukuri, Naresh
> *Sent:* Wednesday, July 19, 2017 9:46 AM
>
> Hi All,
>
> I installed Squid version 3.5.20 on RHEL 7 and generated self-signed CA
> certificates,  My users are complaining about certificate errors. When I
> looked at cache.log I see so many error messages like below. Below is my
> squid.conf file. Any ideas how to address below errors.
>
> Squid.conf:
>
> max_filedesc 4096
>

The directive name should be max_filedescriptors.


> visible_hostname pctysqd2prod
>

That directive should contain a FQDN, not just a host name.

> logfile_rotate 10
>
> access_log stdio:/var/log/squid/access.log squid
>

Above are default values, no need to configure in Squid-3+.

> acl localnet src 172.16.0.0/16
>
> acl backoffice_users src 10.136.0.0/13
>
> acl hcity_backoffice_users src 10.142.0.0/15
>
> acl register_users src 10.128.0.0/13
>
> acl hcity_register_users src 10.134.0.0/15
>

If your localnet / LAN ranges are only 172.16/16 what are 10/8 addresses
doing contacting your proxy?


> acl partycity url_regex partycity
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80          # http
>
> #acl Safe_ports port 21         # ftp
>
> acl Safe_ports port 443         # https
>
> #acl Safe_ports port 70         # gopher
>
> #acl Safe_ports port 210                # wais
>
> #acl Safe_ports port 1025-65535 # unregistered ports
>
> #acl Safe_ports port 280                # http-mgmt
>
> #acl Safe_ports port 488                # gss-http
>
> #acl Safe_ports port 591                # filemaker
>
> #acl Safe_ports port 777                # multiling http
>
> acl CONNECT method CONNECT
>
> #acl allowed_sites {dst|dstdomain|dstdom_regex|url_regex) "/path/to/file"
>
> acl backoffice_allowed_sites url_regex "/etc/squid/backoffice_allowed_sites"
>
> acl hcity_backoffice_allowed_sites url_regex
> "/etc/squid/backoffice_allowed_sites"
>
> acl backoffice_blocked_sites url_regex "/etc/squid/backoffice_blocklist"
>
> acl hcity_backoffice_blocked_sites url_regex
> "/etc/squid/backoffice_blocklist"
>
> acl register_allowed_sites url_regex "/etc/squid/register_allowed_sites"
>
> acl hcity_register_allowed_sites url_regex
> "/etc/squid/hcity_register_allowed_sites"

Hmm, the word "sites" in all these ACL names indicates that you are
trying to match whole domains / websites - not just a few URLs within
those sites that happen to match a regex.
  To match a domain use dstdomain, it is MUCH faster than regex.


>
> http_access allow localnet register_allowed_sites
>
> http_access deny backoffice_users backoffice_blocked_sites
>
> http_access deny hcity_backoffice_users backoffice_blocked_sites
>
> http_access allow backoffice_users backoffice_allowed_sites
>
> http_access allow hcity_backoffice_users backoffice_allowed_sites
>
> http_access allow register_users register_allowed_sites
>
> http_access allow hcity_register_users hcity_register_allowed_sites
>
> no_cache deny partycity

The directive name is "cache". Also...

Since Squid-3.5 if you actually want to prevent caching of those
partycity URLs please use "store_miss deny partycity" instead.

If you want to *allow* the partycity URLs to cache, you need not
configure cache / no_cache / store_miss.


>
> http_access deny all
>

Nothing below this lines will have any effect at all. Sadly you have
move the most critical security controls down below here.


> #http_access allow manager localhost
>
> #http_access deny manager
>
> # Deny requests to certain unsafe ports
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
>
> #http_access deny CONNECT !SSL_ports
>
> http_access  allow CONNECT SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
>
> # web applications running on the proxy server who think the only
>
> # one who can access services on "localhost" is a local user
>
> http_access deny to_localhost
>
> # Example rule allowing access from your local networks.
>
> # Adapt localnet in the ACL section to list your (internal) IP networks
>
> # from where browsing should be allowed
>
> #http_access allow localnet
>
> http_access allow localhost

All your http_access rules should be in here around the localnet and
localhost allow lines. Then you can also remove the above "deny all"
line and make the one below do what it is supposed to do.

>
> # And finally deny all other access to this proxy
>
> http_access deny all
>
> # Squid normally listens to port 3128
>
> http_port 3128 ssl-bump \
>
> key=/etc/squid/pctysquid2sslcerts/pctysquid2prod.pkey \
>
> cert=/etc/squid/pctysquid2sslcerts/pctysquid2prod.crt \
>
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
>
> ssl_bump bump all
>

Okay so TLS ClientHello gets peeked at, then everything gets bumped.

Fine, but be aware that any sites or client Apps using cert pinning (eg.
chrome when contacting Google, mobile apps calling their home site,
etc). will completely cease to work through your proxy.

Also, no ssl_bump lines below this one will do anything.


> sslproxy_cert_error allow all
>
> always_direct allow all
>
> sslproxy_flags DONT_VERIFY_PEER
>

Please remove the above completely from your config. It is all based on
temporary hacks from Squid-3.0 era or complete wrong misunderstanding
about how TLS works.

You should expect that change to show *more* errors than you are seeing
right now. Those are problems that do need fixing rather than just
hiding from your logs (they still screw people over, just not logged).

You may find that you have to "sslproxy_cert_error allow" for some
errors, but *ONLY* allow specific ones as needed - do not allow anything
to happen silently like above does.


Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...