Squid Explicit Proxying

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Explicit Proxying

Eric F.
Hi,

I use OpenBSD 6.7 with Squid 4.12.
I want to filter http and https website, so i'm trying to use SSL
bumping.
But unfortunately, my configuration doesn't work. I explain what i did:

The host is named : proxy.lab.local

I generated the certificate like that:

cd /etc/squid
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout
squid.pem -out squid.pem
openssl x509 -in /etc/squid/squid.pem -outform DER -out
/etc/squid/browser.der
chown _squid:_squid *.pem

run squid with squid -z && rcctl start squid

no errors.

I installed the browser.der on my Windows 10 laptop (added the proxy),
therefore i can't access any webpage.

I tried on the squid server the following tests (curl)

proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could
not
establish a secure connection to it. To learn more about this situation
and
how to fix it, please visit the web page mentioned above.

proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem
-l https://www.google.com
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert
handshake failure

Can you help me to troubleshoot this issue ?

Thank you very much.

Below my configuration :


proxy# squid -v
Squid Cache: Version 4.12
Service Name: squid

This binary uses LibreSSL 3.1.1. For legal restrictions on distribution
see https://www.openssl.org/source/license.html

configure options:  '--disable-strict-error-checking'
'--disable-arch-native' '--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-digest' '--enable-follow-x-forwarded-for'
'--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client'
'--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru
heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'
'--enable-storeio=aufs ufs diskd' '--with-default-user=_squid'
'--with-filedescriptors=8192' '--with-krb5-config=no'
'--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--enable-external-acl-helpers=SQL_session
file_userip time_quota  unix_group wbinfo_group  LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules'
'--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++'
'CXXFLAGS=-O2 -pipe'

proxy# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
   cert=/etc/squid/squid.pem \
   generate-host-certificates=on dynamic_cert_mem_cache_size=8MB

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
/var/squid/ssl_db -M 8MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_children 5
sslproxy_cert_sign signTrusted

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr [hidden email]
# EOF

Cheers,
Eric
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Explicit Proxying

Amos Jeffries
Administrator
On 25/08/20 10:35 pm, Eric F. wrote:

> Hi,
>
> I use OpenBSD 6.7 with Squid 4.12.
> I want to filter http and https website, so i'm trying to use SSL bumping.
> But unfortunately, my configuration doesn't work. I explain what i did:
>
> The host is named : proxy.lab.local
>
> I generated the certificate like that:
>
> cd /etc/squid
> openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout
> squid.pem -out squid.pem

This creates keys. The public cert still needs to be signed. Though curl
below indicates a self-signed cert is present in the chain it gets from
Squid.
 That is a bit odd.


> openssl x509 -in /etc/squid/squid.pem -outform DER -out
> /etc/squid/browser.der

This should be done after signing. Whether you do self-signed or not
export the DER from the same file you put in the --CA parameter for the
signing process.


> chown _squid:_squid *.pem
>
> run squid with squid -z && rcctl start squid
>
> no errors.
>
> I installed the browser.der on my Windows 10 laptop (added the proxy),
> therefore i can't access any webpage.

Er. You should still be able to access web pages. The traffic should
just be going via Squid if you "added the proxy" right.


>
> I tried on the squid server the following tests (curl)
>
> proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html


curl on the proxy machine does not know about browser.der on the Windows
machines. This is expected result.


>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
>
> proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem
> -l https://www.google.com
> curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert
> handshake failure
>

The -l indicates an email or FTP server being connected to. Otherwise
this command looks correct.

I start by looking up the OpenSSL error message. Unfortunately that one
produces no search results for me. You might have better luck. In
absence of any useful info about what the error means next thing is to
get the verbose output from curl to see what is going on.
 And check the Squid cache.log with "debug_options ALL,5" to see what
Squid is doing at its end.

 If that does not provide more useful clues then TCP level packet trace
in wireshark as a last resort.



> Can you help me to troubleshoot this issue ?
>
> Thank you very much.
>
> Below my configuration :
>
>
> proxy# squid -v
> Squid Cache: Version 4.12
> Service Name: squid
>
> This binary uses LibreSSL 3.1.1. For legal restrictions on distribution
> see https://www.openssl.org/source/license.html
>

FYI, LibreSSL is not formally supported due to the number of behavioural
differences it now has with OpenSSL. SSL-Bump is a mix of custom Squid
code and relatively low-level calls into OpenSSL. While LibreSSL usually
builds, we cannot guarantee those low-level calls do what SSL-Bump expects.


...

>
> acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
> acl bad_domains dstdomain "/etc/squid/bad_domains"
>
> http_access deny bad_urls
> http_access deny bad_domains
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>

Nit: that line means all the bad_* checks should be down here.


> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump \
>   cert=/etc/squid/squid.pem \

Nit: the option is now named tls-cert=


>   generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
>
> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
> /var/squid/ssl_db -M 8MB
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all


This makes SSL-Bump generate the certificates without any details from
the actual server. You can expect a lot of issues with TLS features that
need end-to-end negotiation (eg TLS/1.3 connections).

To work around that:

  acl step1 at_step SslBump1
  ssl_bump peek step1

  acl step2 at_step SslBump2
  ssl_bump stare step2

  ssl_bump bump all


> sslcrtd_children 5
> sslproxy_cert_sign signTrusted
>


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Explicit Proxying

Eric F.
First, thank you very much for your help, you re awesome !

I can in fact browse HTTP pages, but not HTTPS.

Can i ask you a bit more help :) ?

I applied some changes :

Regarding the certificate, i read the man page
http://man.openbsd.org/ssl
cd /etc/squid
openssl genrsa -out squid.key 4096
openssl req -new -key squid.key -out squid.csr
openssl x509 -sha256 -req -days 365 -in squid.csr -signkey squid.key
-out squid.crt
cat squid.crt squid.key > squid.pem
chown _squid:_squid *.pem
chmod 700 *.pem
openssl x509 -in squid.pem -outform DER -out browser.der

Now when i try : curl --proxy http://127.0.0.1:3128 --cacert
/etc/squid/squid.pem -l https://www.google.com
I get : curl: (60) SSL certificate problem: unable to get local issuer
certificate...

On the Windows 10 laptop, i configured the proxy using inetcpl.cpl see
attached screenshot (IE options).
I also added the browser.der to root certification in the snap
certmgr.msc (see attached screenshot).

On Firefox, I get SEC_ERROR_UNKNOWN_ISSUER when trying to browse https
website.
On Chrome, I get ERR_CONNECTION_CLOSED when trying to browse https
website.

HTTP website is OK.

I enabled the debug in squid.conf like you suggested me :)

Here the squid -k parse :

   --8<--

obsd-proxy# squid -k parse
2020/08/26 10:35:44| Startup: Initializing Authentication Schemes ...
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'basic'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'digest'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme
'negotiate'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'ntlm'
2020/08/26 10:35:44| Startup: Initialized Authentication.
2020/08/26 10:35:44| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2020/08/26 10:35:44| Processing: debug_options ALL,5
2020/08/26 10:35:44| Processing: acl localnet src 0.0.0.1-0.255.255.255  
# RFC 1122 "this" network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 10.0.0.0/8            
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 100.64.0.0/10          
# RFC 6598 shared address space (CGN)
2020/08/26 10:35:44| Processing: acl localnet src 169.254.0.0/16        
# RFC 3927 link-local (directly plugged) machines
2020/08/26 10:35:44| Processing: acl localnet src 172.16.0.0/12          
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 192.168.0.0/16        
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src fc00::/7              
# RFC 4193 local private network range
2020/08/26 10:35:44| Processing: acl localnet src fe80::/10              
# RFC 4291 link-local (directly plugged) machines
2020/08/26 10:35:44| Processing: acl SSL_ports port 443
2020/08/26 10:35:44| Processing: acl Safe_ports port 80          # http
2020/08/26 10:35:44| Processing: acl Safe_ports port 21          # ftp
2020/08/26 10:35:44| Processing: acl Safe_ports port 443         # https
2020/08/26 10:35:44| Processing: acl Safe_ports port 70          #
gopher
2020/08/26 10:35:44| Processing: acl Safe_ports port 210         # wais
2020/08/26 10:35:44| Processing: acl Safe_ports port 1025-65535  #
unregistered ports
2020/08/26 10:35:44| Processing: acl Safe_ports port 280         #
http-mgmt
2020/08/26 10:35:44| Processing: acl Safe_ports port 488         #
gss-http
2020/08/26 10:35:44| Processing: acl Safe_ports port 591         #
filemaker
2020/08/26 10:35:44| Processing: acl Safe_ports port 777         #
multiling http
2020/08/26 10:35:44| Processing: acl CONNECT method CONNECT
2020/08/26 10:35:44| Processing: http_access deny !Safe_ports
2020/08/26 10:35:44| Processing: http_access deny CONNECT !SSL_ports
2020/08/26 10:35:44| Processing: http_access allow localhost manager
2020/08/26 10:35:44| Processing: http_access deny manager
2020/08/26 10:35:44| Processing: acl bad_urls urlpath_regex -i
"/etc/squid/bad_urls"
2020/08/26 10:35:44| Processing: acl bad_domains dstdomain
"/etc/squid/bad_domains"
2020/08/26 10:35:44| Processing: http_access deny bad_urls
2020/08/26 10:35:44| Processing: http_access deny bad_domains
2020/08/26 10:35:44| Processing: http_access allow localnet
2020/08/26 10:35:44| Processing: http_access allow localhost
2020/08/26 10:35:44| Processing: http_access deny all
2020/08/26 10:35:44| Processing: http_port 3128 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
tls-cert=/etc/squid/squid.pem
2020/08/26 10:35:44| Processing: acl step1 at_step SslBump1
2020/08/26 10:35:44| Processing: ssl_bump peek step1
2020/08/26 10:35:44| Processing: acl step2 at_step SslBump2
2020/08/26 10:35:44| Processing: ssl_bump stare step2
2020/08/26 10:35:44| Processing: ssl_bump bump all
2020/08/26 10:35:44| Processing: sslcrtd_program
/usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_db -M
4MB
2020/08/26 10:35:44| Processing: sslcrtd_children 5
2020/08/26 10:35:44| Processing: sslproxy_cert_sign signTrusted
2020/08/26 10:35:44| Processing: coredump_dir /var/squid/cache
2020/08/26 10:35:44| Processing: refresh_pattern ^ftp:           1440    
20%     10080
2020/08/26 10:35:44| Processing: refresh_pattern ^gopher:        1440    
0%      1440
2020/08/26 10:35:44| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    
0%      0
2020/08/26 10:35:44| Processing: refresh_pattern .               0      
20%     4320
2020/08/26 10:35:44| Processing: cache_mgr [hidden email]
2020/08/26 10:35:44| Initializing https:// proxy context
2020/08/26 10:35:44| Initializing http_port [::]:3128 TLS contexts
2020/08/26 10:35:44| Using certificate in /etc/squid/squid.pem
2020/08/26 10:35:44| Using certificate chain in /etc/squid/squid.pem
2020/08/26 10:35:44| Adding issuer CA: ...CN=proxy.lab.local...
2020/08/26 10:35:44| Using key in /etc/squid/squid.pem
2020/08/26 10:35:44| Initializing http_port 0.0.0.0:3128 TLS contexts
2020/08/26 10:35:44| Using certificate in /etc/squid/squid.pem
2020/08/26 10:35:44| Using certificate chain in /etc/squid/squid.pem
2020/08/26 10:35:44| Adding issuer CA: ...CN=proxy.lab.local...
2020/08/26 10:35:44| Using key in /etc/squid/squid.pem
2020/08/26 10:35:44.677| 20,5| src/store.cc(352) ~StoreEntry: StoreEntry
destructed, this=0x4b943c9abb0
2020/08/26 10:35:44.678| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bb9e638b00
2020/08/26 10:35:44.686| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bc0acfac80
2020/08/26 10:35:44.686| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bb4a362600

   -->8--

squid.conf, now looks like :

   --8<--

debug_options ALL,5

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \
   tls-cert=/etc/squid/squid.pem

acl step1 at_step SslBump1
ssl_bump peek step1
acl step2 at_step SslBump2
ssl_bump stare step2
ssl_bump bump all

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
/var/squid/ssl_db -M 4MB

sslcrtd_children 5
sslproxy_cert_sign signTrusted

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr [hidden email]

   --8<--


Le 2020-08-26 09:36, Amos Jeffries a écrit :
> On 25/08/20 10:35 pm, Eric F. wrote:

> FYI, LibreSSL is not formally supported due to the number of
> behavioural
> differences it now has with OpenSSL. SSL-Bump is a mix of custom Squid
> code and relatively low-level calls into OpenSSL. While LibreSSL
> usually
> builds, we cannot guarantee those low-level calls do what SSL-Bump
> expects.

Which Linux distribution do you advise me ?? Do i need to forget OpenBSD
?


Thank you so much!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

cert-added.png (3K) Download Attachment
config-proxy-10.png (16K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

error:transaction-end-before-headers

Eric F.
Hi,

I use squid 4.12 with LDAP (Active Directory).
All works great except sometimes I have the following errors in my
access.log file :

1598438527.315      0 192.168.0.50 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- -

How can i correct that ? Any suggestions ?

Below my squid.conf file :

   --8<--

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -P -R
-b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f
"(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389

acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr [hidden email]

   -->8--

Thank you very much !

Cheers,

Eric F.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: error:transaction-end-before-headers

L.P.H. van Belle
Hai,

Just something i noticed..

> auth_param basic program
> /usr/local/libexec/squid/basic_ldap_auth -P -R
> -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f
> "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389

Change that to:  
auth_param basic program
 /usr/local/libexec/squid/basic_ldap_auth -P -R
 -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local  -W /etc/squid/ldap-bind-pwdfile
 -f "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389

-w squid is changed to
-W path/2//etc/squid/ldap-bind-pwdfile_containing_your_password.

Only add your password in there and only give squid read rights.

Why, if someone runs ps, they might catch the squid password your using..

On your question, see also.
https://www.mail-archive.com/squid-users@.../msg19734.html 

I cant answer it myself, i dont know.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens Eric F.
> Verzonden: woensdag 26 augustus 2020 13:53
> Aan: [hidden email]
> Onderwerp: [squid-users] error:transaction-end-before-headers
>
> Hi,
>
> I use squid 4.12 with LDAP (Active Directory).
> All works great except sometimes I have the following errors in my
> access.log file :
>
> 1598438527.315      0 192.168.0.50 NONE/000 0 NONE
> error:transaction-end-before-headers - HIER_NONE/- -
>
> How can i correct that ? Any suggestions ?
>
> Below my squid.conf file :
>
>    --8<--
>
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this"
> network (LAN)
> acl localnet src 10.0.0.0/8             # RFC 1918 local
> private network
> (LAN)
> acl localnet src 100.64.0.0/10          # RFC 6598 shared
> address space
> (CGN)
> acl localnet src 169.254.0.0/16         # RFC 3927 link-local
> (directly
> plugged) machines
> acl localnet src 172.16.0.0/12          # RFC 1918 local
> private network
> (LAN)
> acl localnet src 192.168.0.0/16         # RFC 1918 local
> private network
> (LAN)
> acl localnet src fc00::/7               # RFC 4193 local
> private network
> range
> acl localnet src fe80::/10              # RFC 4291 link-local
> (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
> http_access deny manager
>
> acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
> acl bad_domains dstdomain "/etc/squid/bad_domains"
>
> http_access deny bad_urls
> http_access deny bad_domains
>
> auth_param basic program
> /usr/local/libexec/squid/basic_ldap_auth -P -R
> -b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f
> "(&(objectClass=person)(sAMAccountName=%s))" -v 3 192.168.0.7:389
>
> acl ldap-auth proxy_auth REQUIRED
> http_access allow ldap-auth
>
> http_access allow localnet
> http_access allow localhost
>
> http_access deny all
>
> http_port 3128
>
> coredump_dir /var/squid/cache
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> cache_mgr [hidden email]
>
>    -->8--
>
> Thank you very much !
>
> Cheers,
>
> Eric F.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users