Transparent squid configuration problem.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent squid configuration problem.

Зубарев Александр Александрович

Hi! I have some problems with configuration of squid.

 

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

 

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

 

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

 

Here is my squid.conf, cache.log, access.log and iptables script.

 

Please help! J

 

Squid.conf:

 

dns_v4_first on

 

acl network src 10.84.0.0/16

 

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

 

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow all

 

http_port 3130

 

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

 

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

 

coredump_dir /var/spool/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

shutdown_lifetime 1 second

 

cache.log:

 

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

 

Accesslog:

 

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

 

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

L.P.H. van Belle
i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.               3600    IN      CAA     0 iodef "[hidden email]"
habr.com.               3600    IN      CAA     0 issue "comodoca.com"
So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.
 
Greetz,
 
Louis
 
 
 


Van: squid-users [mailto:[hidden email]] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: [hidden email]
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.

 

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

 

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

 

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

 

Here is my squid.conf, cache.log, access.log and iptables script.

 

Please help! J

 

Squid.conf:

 

dns_v4_first on

 

acl network src 10.84.0.0/16

 

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

 

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow all

 

http_port 3130

 

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

 

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

 

coredump_dir /var/spool/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

shutdown_lifetime 1 second

 

cache.log:

 

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

 

Accesslog:

 

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

 

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Зубарев Александр Александрович

Thank you, Louis!

Is there some workaround? May be I can to put that’s kind of sites without filtering?

 

From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: [hidden email]
Subject: Re: [squid-users] Transparent squid configuration problem.

 

i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.               3600    IN      CAA     0 iodef "[hidden email]"
habr.com.               3600    IN      CAA     0 issue "comodoca.com"

So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.

 

Greetz,

 

Louis

 

 

 

 


Van: squid-users [[hidden email]] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: [hidden email]
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.

 

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

 

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

 

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

 

Here is my squid.conf, cache.log, access.log and iptables script.

 

Please help! J

 

Squid.conf:

 

dns_v4_first on

 

acl network src 10.84.0.0/16

 

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

 

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow all

 

http_port 3130

 

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

 

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

 

coredump_dir /var/spool/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

shutdown_lifetime 1 second

 

cache.log:

 

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

 

Accesslog:

 

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

 

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

L.P.H. van Belle
If i may suggest..
 
Use the squid version from debian sid.
Rebuilding these to stretch isnt that hard.
 
add  the sid sources, run : apt-get update
apt-get build-dep squid
apt-get source squid -b
then create a file repo ( or http repo ) and install squid.

or, if you dont want to rebuild them. you can get them here.
A squid 4.1 and 4.2 are available for Stretch im using now the 4.2 version.
 
If thats no option then have a look at https://wiki.squid-cache.org/Features/SslPeekAndSplice 
See the configuration example, that a good example. 
Change "bank" in habr.com   ;-) 
 
 
Greetz,
 
Louis
 

Van: ??????? ????????? ????????????? [mailto:[hidden email]]
Verzonden: donderdag 23 augustus 2018 15:42
Aan: L.P.H. van Belle; [hidden email]
Onderwerp: RE: [squid-users] Transparent squid configuration problem.

Thank you, Louis!

Is there some workaround? May be I can to put that’s kind of sites without filtering?

From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: [hidden email]
Subject: Re: [squid-users] Transparent squid configuration problem.

i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.               3600    IN      CAA     0 iodef "[hidden email]"
habr.com.               3600    IN      CAA     0 issue "comodoca.com"

So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.

Greetz,

Louis


Van: squid-users [[hidden email]] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: [hidden email]
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

Here is my squid.conf, cache.log, access.log and iptables script.

Please help! J

Squid.conf:

dns_v4_first on

acl network src 10.84.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

shutdown_lifetime 1 second

cache.log:

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

Accesslog:

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Rodrigo Cunha
In reply to this post by Зубарев Александр Александрович
Squid not work with transparent proxy in https, that request is processed directily in your browser for security pollices.Setup your browser with proxy and test, transparent for https not work.Only requests to http websites.

If a server process requests https betwen client and server, that server is a "man in the meadle",that  is problem of security for customers in your network.

Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович <[hidden email]> escreveu:

Thank you, Louis!

Is there some workaround? May be I can to put that’s kind of sites without filtering?

 

From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: [hidden email]
Subject: Re: [squid-users] Transparent squid configuration problem.

 

i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.               3600    IN      CAA     0 iodef "[hidden email]"
habr.com.               3600    IN      CAA     0 issue "comodoca.com"

So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.

 

Greetz,

 

Louis

 

 

 

 


Van: squid-users [[hidden email]] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: [hidden email]
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.

 

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

 

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

 

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

 

Here is my squid.conf, cache.log, access.log and iptables script.

 

Please help! J

 

Squid.conf:

 

dns_v4_first on

 

acl network src 10.84.0.0/16

 

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

 

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow all

 

http_port 3130

 

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

 

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

 

coredump_dir /var/spool/squid

 

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

shutdown_lifetime 1 second

 

cache.log:

 

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

 

Accesslog:

 

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

 

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Alex Rousskov
On 08/23/2018 12:40 PM, Rodrigo Cunha wrote:
> Squid not work with transparent proxy in https,

That statement is misleading or incorrect. Squid can be configured to
successfully intercept HTTPS traffic in many environments. Intercepted
TLS traffic can then be inspected and spliced (or even bumped to the
HTTP level where possible and necessary).


> that request is processed directily in your browser for security
> pollices.

Yes, but so is every request, including HTTPS requests that go through
proxy/CONNECT tunnels. Intercepting proxies do not change much compared
to forward proxies as far as browser HTTPS policies are concerned.
Browsers consider them all to be (a part of) the untrusted internet
between the client and the origin server.


> If a server process requests https betwen client and server, that server
> is a "man in the meadle",

The same applies to processing HTTPS requests that go through
proxy/CONNECT tunnels. Both intercepting and forward proxies are men in
the middle.


I am writing this correction just to reduce confusion for others that
might find this email thread later. This correction itself does not
address the OP problem.


Alex.


> Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович
> <[hidden email] <mailto:[hidden email]>> escreveu:
>
>     Thank you, Louis! ____
>
>     Is there some workaround? May be I can to put that’s kind of sites
>     without filtering?____
>
>     __ __
>
>     *From:*squid-users <[hidden email]
>     <mailto:[hidden email]>> *On Behalf Of
>     *L.P.H. van Belle
>     *Sent:* Thursday, August 23, 2018 4:38 PM
>     *To:* [hidden email]
>     <mailto:[hidden email]>
>     *Subject:* Re: [squid-users] Transparent squid configuration
>     problem.____
>
>     __ __
>
>     i noticed the following :    dig caa habr.com <http://habr.com>
>     ;; ANSWER SECTION:
>     habr.com <http://habr.com>.               3600    IN      CAA     0
>     iodef "mailto:[hidden email]"
>     habr.com <http://habr.com>.               3600    IN      CAA     0
>     issue "comodoca.com <http://comodoca.com>"____
>
>     So you cant bump this site, its protecting its certificates with a
>     CAA/DANE dns record. ____
>
>      ____
>
>     Greetz, ____
>
>      ____
>
>     Louis____
>
>      ____
>
>      ____
>
>      ____
>
>     __ __
>
>         ------------------------------------------------------------------------
>
>         *Van:*squid-users
>         [mailto:[hidden email]] *Namens
>         *??????? ????????? ?????????????
>         *Verzonden:* donderdag 23 augustus 2018 15:22
>         *Aan:* [hidden email]
>         <mailto:[hidden email]>
>         *Onderwerp:* [squid-users] Transparent squid configuration
>         problem.____
>
>         Hi! I have some problems with configuration of squid.____
>
>         __ __
>
>         What I need:____
>
>         http/https transparent proxy server based on Debian Stretch with
>         some blacklisted and whitelisted domains____
>
>         __ __
>
>         I’ve used many tutorials and squid.wiki through installation
>         process and it almost work! But I have the last problem.____
>
>         __ __
>
>         When I tried to connect to some websites like a https://habr.com
>         I have  got HTTP ERROR 503. Ive tried to find solution at forums
>         but no one helped me. I know the answer is simple and its here
>         but cannt find it by myself.____
>
>         __ __
>
>         Here is my squid.conf, cache.log, access.log and iptables
>         script.____
>
>         __ __
>
>         Please help! J____
>
>         __ __
>
>         Squid.conf:____
>
>         __ __
>
>         dns_v4_first on____
>
>         __ __
>
>         acl network src 10.84.0.0/16 <http://10.84.0.0/16>____
>
>         __ __
>
>         acl SSL_ports port 443____
>
>         acl Safe_ports port 80        # http____
>
>         acl Safe_ports port 21        # ftp____
>
>         acl Safe_ports port 443        # https____
>
>         acl Safe_ports port 70        # gopher____
>
>         acl Safe_ports port 210        # wais____
>
>         acl Safe_ports port 1025-65535    # unregistered ports____
>
>         acl Safe_ports port 280        # http-mgmt____
>
>         acl Safe_ports port 488        # gss-http____
>
>         acl Safe_ports port 591        # filemaker____
>
>         acl Safe_ports port 777        # multiling http____
>
>         acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" #
>         list of blocked websites here____
>
>         acl CONNECT method CONNECT____
>
>         __ __
>
>         http_access deny blacklist____
>
>         http_access deny !Safe_ports____
>
>         http_access deny CONNECT !SSL_ports____
>
>         __ __
>
>         http_access allow all____
>
>         __ __
>
>         http_port 3130____
>
>         __ __
>
>         http_port 3128 intercept____
>
>         https_port 3129 intercept ssl-bump
>         cert=/etc/squid/ssl_cert/vproxy2.pem
>         key=/etc/squid/ssl_cert/vproxy2.pem____
>
>         __ __
>
>         #always_direct allow all____
>
>         ssl_bump server-first all____
>
>         #sslproxy_cert_error deny all____
>
>         #sslproxy_flags DONT_VERIFY_PEER____
>
>         __ __
>
>         sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M
>         4MB____
>
>         sslcrtd_children 8 startup=1 idle=1____
>
>         __ __
>
>         coredump_dir /var/spool/squid____
>
>         __ __
>
>         # Add any of your own refresh_pattern entries above these.____
>
>         refresh_pattern ^ftp:        1440    20%    10080____
>
>         refresh_pattern ^gopher:    1440    0%    1440____
>
>         refresh_pattern -i (/cgi-bin/|\?) 0    0%    0____
>
>         refresh_pattern .        0    20%    4320____
>
>         __ __
>
>         shutdown_lifetime 1 second____
>
>         __ __
>
>         cache.log:____
>
>         __ __
>
>         Maximum Resident Size: 123312 KB____
>
>         Page faults with physical i/o: 7____
>
>         2018/08/23 16:19:27 kid1| Logfile: closing log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:27 kid1| Logfile Daemon: closing log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket
>         IPv6____
>
>         2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket
>         IPv4____
>
>         2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX
>         STREAM Parent____
>
>         2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting
>         normally.____
>
>         2018/08/23 16:19:32 kid1| Set Current Directory to
>         /var/spool/squid____
>
>         2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23
>         for x86_64-pc-linux-gnu...____
>
>         2018/08/23 16:19:32 kid1| Service Name: squid____
>
>         2018/08/23 16:19:32 kid1| Process ID 1209____
>
>         2018/08/23 16:19:32 kid1| Process Roles: worker____
>
>         2018/08/23 16:19:32 kid1| With 65535 file descriptors available____
>
>         2018/08/23 16:19:32 kid1| Initializing IP Cache...____
>
>         2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6____
>
>         2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7____
>
>         2018/08/23 16:19:32 kid1| Adding domain generium.corp from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Logfile: opening log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:32 kid1| Logfile Daemon: opening log
>         /var/log/squid/access.log____
>
>         2018/08/23 16:19:32 kid1| Local cache digest enabled;
>         rebuild/rewrite every 3600/3600 sec____
>
>         2018/08/23 16:19:32 kid1| Store logging disabled____
>
>         2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated
>         20164 objects____
>
>         2018/08/23 16:19:32 kid1| Target number of buckets: 1008____
>
>         2018/08/23 16:19:32 kid1| Using 8192 Store buckets____
>
>         2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB____
>
>         2018/08/23 16:19:32 kid1| Max Swap size: 0 KB____
>
>         2018/08/23 16:19:32 kid1| Using Least Load store dir selection____
>
>         2018/08/23 16:19:32 kid1| Set Current Directory to
>         /var/spool/squid____
>
>         2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.____
>
>         2018/08/23 16:19:32 kid1| HTCP Disabled.____
>
>         2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16____
>
>         2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0____
>
>         2018/08/23 16:19:32 kid1| Adaptation support is off.____
>
>         2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at
>         local=[::]:3130 remote=[::] FD 12 flags=9____
>
>         2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket
>         connections at local=[::]:3128 remote=[::] FD 13 flags=41____
>
>         2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped
>         HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14
>         flags=41____
>
>         2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...____
>
>         2018/08/23 16:19:32| pinger: ICMP socket opened.____
>
>         2018/08/23 16:19:32| pinger: ICMPv6 socket opened____
>
>         2018/08/23 16:19:32| Pinger exiting.____
>
>         2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects____
>
>         __ __
>
>         Accesslog:____
>
>         __ __
>
>         1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET
>         https://habr.com/ - ORIGINAL_DST/178.248.237.68
>         <http://178.248.237.68> text/html____
>
>         1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.4.157.193:443 <http://52.4.157.193:443> -
>         ORIGINAL_DST/52.4.157.193 <http://52.4.157.193> -____
>
>         1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.204.140.44:443 <http://52.204.140.44:443> -
>         ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
>
>         1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.204.140.44:443 <http://52.204.140.44:443> -
>         ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
>
>         1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST
>         https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94
>         <http://64.233.162.94> text/html____
>
>         1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT
>         178.248.237.68:443 <http://178.248.237.68:443> -
>         ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
>
>         1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT
>         178.248.237.68:443 <http://178.248.237.68:443> -
>         ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
>
>         1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET
>         https://habr.com/ - ORIGINAL_DST/178.248.237.68
>         <http://178.248.237.68> text/html____
>
>         __ __
>
>         Уведомление о конфиденциальности: это электронное сообщение и
>         любые документы, приложенные к нему, могут содержать
>         конфиденциальную информацию. Настоящим уведомляем Вас о том, что
>         если это сообщение не предназначено Вам, использование,
>         копирование или распространение информации, содержащейся в
>         настоящем сообщении, а также осуществление любых действий на
>         основе этой информации строго запрещено. Если Вы получили это
>         сообщение по ошибке, пожалуйста, сообщите об этом отправителю по
>         электронной почте и удалите это сообщение. Confidentiality
>         notice: This e-mail transmission and any attachments included
>         may contain confidential information. If you are not the
>         intended recipient, you are hereby notified that any disclosure,
>         copying, distribution, or reliance upon the content of this
>         e-mail is strictly prohibited. If you have received this e-mail
>         transmission in error, please notify sender by e-mail and then
>         delete this message from your inbox. ____
>
>     Уведомление о конфиденциальности: это электронное сообщение и любые
>     документы, приложенные к нему, могут содержать конфиденциальную
>     информацию. Настоящим уведомляем Вас о том, что если это сообщение
>     не предназначено Вам, использование, копирование или распространение
>     информации, содержащейся в настоящем сообщении, а также
>     осуществление любых действий на основе этой информации строго
>     запрещено. Если Вы получили это сообщение по ошибке, пожалуйста,
>     сообщите об этом отправителю по электронной почте и удалите это
>     сообщение. Confidentiality notice: This e-mail transmission and any
>     attachments included may contain confidential information. If you
>     are not the intended recipient, you are hereby notified that any
>     disclosure, copying, distribution, or reliance upon the content of
>     this e-mail is strictly prohibited. If you have received this e-mail
>     transmission in error, please notify sender by e-mail and then
>     delete this message from your inbox.
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
> São Gonçalo, RJ - Brasil
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Rodrigo Cunha
Tks, you have how-to for configure transparent proxy in squid current version or in old versions to https?I want test in my envirimont lab.


Em qui, 23 de ago de 2018 às 16:32, Alex Rousskov <[hidden email]> escreveu:
On 08/23/2018 12:40 PM, Rodrigo Cunha wrote:
> Squid not work with transparent proxy in https,

That statement is misleading or incorrect. Squid can be configured to
successfully intercept HTTPS traffic in many environments. Intercepted
TLS traffic can then be inspected and spliced (or even bumped to the
HTTP level where possible and necessary).


> that request is processed directily in your browser for security
> pollices.

Yes, but so is every request, including HTTPS requests that go through
proxy/CONNECT tunnels. Intercepting proxies do not change much compared
to forward proxies as far as browser HTTPS policies are concerned.
Browsers consider them all to be (a part of) the untrusted internet
between the client and the origin server.


> If a server process requests https betwen client and server, that server
> is a "man in the meadle",

The same applies to processing HTTPS requests that go through
proxy/CONNECT tunnels. Both intercepting and forward proxies are men in
the middle.


I am writing this correction just to reduce confusion for others that
might find this email thread later. This correction itself does not
address the OP problem.


Alex.


> Em qui, 23 de ago de 2018 às 10:42, Зубарев Александр Александрович
> <[hidden email] <mailto:[hidden email]>> escreveu:
>
>     Thank you, Louis! ____
>
>     Is there some workaround? May be I can to put that’s kind of sites
>     without filtering?____
>
>     __ __
>
>     *From:*squid-users <[hidden email]
>     <mailto:[hidden email]>> *On Behalf Of
>     *L.P.H. van Belle
>     *Sent:* Thursday, August 23, 2018 4:38 PM
>     *To:* [hidden email]
>     <mailto:[hidden email]>
>     *Subject:* Re: [squid-users] Transparent squid configuration
>     problem.____
>
>     __ __
>
>     i noticed the following :    dig caa habr.com <http://habr.com>
>     ;; ANSWER SECTION:
>     habr.com <http://habr.com>.               3600    IN      CAA     0
>     iodef "mailto:[hidden email]"
>     habr.com <http://habr.com>.               3600    IN      CAA     0
>     issue "comodoca.com <http://comodoca.com>"____
>
>     So you cant bump this site, its protecting its certificates with a
>     CAA/DANE dns record. ____
>
>      ____
>
>     Greetz, ____
>
>      ____
>
>     Louis____
>
>      ____
>
>      ____
>
>      ____
>
>     __ __
>
>         ------------------------------------------------------------------------
>
>         *Van:*squid-users
>         [mailto:[hidden email]] *Namens
>         *??????? ????????? ?????????????
>         *Verzonden:* donderdag 23 augustus 2018 15:22
>         *Aan:* [hidden email]
>         <mailto:[hidden email]>
>         *Onderwerp:* [squid-users] Transparent squid configuration
>         problem.____
>
>         Hi! I have some problems with configuration of squid.____
>
>         __ __
>
>         What I need:____
>
>         http/https transparent proxy server based on Debian Stretch with
>         some blacklisted and whitelisted domains____
>
>         __ __
>
>         I’ve used many tutorials and squid.wiki through installation
>         process and it almost work! But I have the last problem.____
>
>         __ __
>
>         When I tried to connect to some websites like a https://habr.com
>         I have  got HTTP ERROR 503. Ive tried to find solution at forums
>         but no one helped me. I know the answer is simple and its here
>         but cannt find it by myself.____
>
>         __ __
>
>         Here is my squid.conf, cache.log, access.log and iptables
>         script.____
>
>         __ __
>
>         Please help! J____
>
>         __ __
>
>         Squid.conf:____
>
>         __ __
>
>         dns_v4_first on____
>
>         __ __
>
>         acl network src 10.84.0.0/16 <http://10.84.0.0/16>____
>
>         __ __
>
>         acl SSL_ports port 443____
>
>         acl Safe_ports port 80        # http____
>
>         acl Safe_ports port 21        # ftp____
>
>         acl Safe_ports port 443        # https____
>
>         acl Safe_ports port 70        # gopher____
>
>         acl Safe_ports port 210        # wais____
>
>         acl Safe_ports port 1025-65535    # unregistered ports____
>
>         acl Safe_ports port 280        # http-mgmt____
>
>         acl Safe_ports port 488        # gss-http____
>
>         acl Safe_ports port 591        # filemaker____
>
>         acl Safe_ports port 777        # multiling http____
>
>         acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" #
>         list of blocked websites here____
>
>         acl CONNECT method CONNECT____
>
>         __ __
>
>         http_access deny blacklist____
>
>         http_access deny !Safe_ports____
>
>         http_access deny CONNECT !SSL_ports____
>
>         __ __
>
>         http_access allow all____
>
>         __ __
>
>         http_port 3130____
>
>         __ __
>
>         http_port 3128 intercept____
>
>         https_port 3129 intercept ssl-bump
>         cert=/etc/squid/ssl_cert/vproxy2.pem
>         key=/etc/squid/ssl_cert/vproxy2.pem____
>
>         __ __
>
>         #always_direct allow all____
>
>         ssl_bump server-first all____
>
>         #sslproxy_cert_error deny all____
>
>         #sslproxy_flags DONT_VERIFY_PEER____
>
>         __ __
>
>         sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M
>         4MB____
>
>         sslcrtd_children 8 startup=1 idle=1____
>
>         __ __
>
>         coredump_dir /var/spool/squid____
>
>         __ __
>
>         # Add any of your own refresh_pattern entries above these.____
>
>         refresh_pattern ^ftp:        1440    20%    10080____
>
>         refresh_pattern ^gopher:    1440    0%    1440____
>
>         refresh_pattern -i (/cgi-bin/|\?) 0    0%    0____
>
>         refresh_pattern .        0    20%    4320____
>
>         __ __
>
>         shutdown_lifetime 1 second____
>
>         __ __
>
>         cache.log:____
>
>         __ __
>
>         Maximum Resident Size: 123312 KB____
>
>         Page faults with physical i/o: 7____
>
>         2018/08/23 16:19:27 kid1| Logfile: closing log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:27 kid1| Logfile Daemon: closing log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket
>         IPv6____
>
>         2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket
>         IPv4____
>
>         2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX
>         STREAM Parent____
>
>         2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting
>         normally.____
>
>         2018/08/23 16:19:32 kid1| Set Current Directory to
>         /var/spool/squid____
>
>         2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23
>         for x86_64-pc-linux-gnu...____
>
>         2018/08/23 16:19:32 kid1| Service Name: squid____
>
>         2018/08/23 16:19:32 kid1| Process ID 1209____
>
>         2018/08/23 16:19:32 kid1| Process Roles: worker____
>
>         2018/08/23 16:19:32 kid1| With 65535 file descriptors available____
>
>         2018/08/23 16:19:32 kid1| Initializing IP Cache...____
>
>         2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6____
>
>         2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7____
>
>         2018/08/23 16:19:32 kid1| Adding domain generium.corp from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from
>         /etc/resolv.conf____
>
>         2018/08/23 16:19:32 kid1| Logfile: opening log
>         daemon:/var/log/squid/access.log____
>
>         2018/08/23 16:19:32 kid1| Logfile Daemon: opening log
>         /var/log/squid/access.log____
>
>         2018/08/23 16:19:32 kid1| Local cache digest enabled;
>         rebuild/rewrite every 3600/3600 sec____
>
>         2018/08/23 16:19:32 kid1| Store logging disabled____
>
>         2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated
>         20164 objects____
>
>         2018/08/23 16:19:32 kid1| Target number of buckets: 1008____
>
>         2018/08/23 16:19:32 kid1| Using 8192 Store buckets____
>
>         2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB____
>
>         2018/08/23 16:19:32 kid1| Max Swap size: 0 KB____
>
>         2018/08/23 16:19:32 kid1| Using Least Load store dir selection____
>
>         2018/08/23 16:19:32 kid1| Set Current Directory to
>         /var/spool/squid____
>
>         2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.____
>
>         2018/08/23 16:19:32 kid1| HTCP Disabled.____
>
>         2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16____
>
>         2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0____
>
>         2018/08/23 16:19:32 kid1| Adaptation support is off.____
>
>         2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at
>         local=[::]:3130 remote=[::] FD 12 flags=9____
>
>         2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket
>         connections at local=[::]:3128 remote=[::] FD 13 flags=41____
>
>         2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped
>         HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14
>         flags=41____
>
>         2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...____
>
>         2018/08/23 16:19:32| pinger: ICMP socket opened.____
>
>         2018/08/23 16:19:32| pinger: ICMPv6 socket opened____
>
>         2018/08/23 16:19:32| Pinger exiting.____
>
>         2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects____
>
>         __ __
>
>         Accesslog:____
>
>         __ __
>
>         1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET
>         https://habr.com/ - ORIGINAL_DST/178.248.237.68
>         <http://178.248.237.68> text/html____
>
>         1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.4.157.193:443 <http://52.4.157.193:443> -
>         ORIGINAL_DST/52.4.157.193 <http://52.4.157.193> -____
>
>         1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.204.140.44:443 <http://52.204.140.44:443> -
>         ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
>
>         1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT
>         52.204.140.44:443 <http://52.204.140.44:443> -
>         ORIGINAL_DST/52.204.140.44 <http://52.204.140.44> -____
>
>         1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST
>         https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94
>         <http://64.233.162.94> text/html____
>
>         1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT
>         178.248.237.68:443 <http://178.248.237.68:443> -
>         ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
>
>         1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT
>         178.248.237.68:443 <http://178.248.237.68:443> -
>         ORIGINAL_DST/178.248.237.68 <http://178.248.237.68> -____
>
>         1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET
>         https://habr.com/ - ORIGINAL_DST/178.248.237.68
>         <http://178.248.237.68> text/html____
>
>         __ __
>
>         Уведомление о конфиденциальности: это электронное сообщение и
>         любые документы, приложенные к нему, могут содержать
>         конфиденциальную информацию. Настоящим уведомляем Вас о том, что
>         если это сообщение не предназначено Вам, использование,
>         копирование или распространение информации, содержащейся в
>         настоящем сообщении, а также осуществление любых действий на
>         основе этой информации строго запрещено. Если Вы получили это
>         сообщение по ошибке, пожалуйста, сообщите об этом отправителю по
>         электронной почте и удалите это сообщение. Confidentiality
>         notice: This e-mail transmission and any attachments included
>         may contain confidential information. If you are not the
>         intended recipient, you are hereby notified that any disclosure,
>         copying, distribution, or reliance upon the content of this
>         e-mail is strictly prohibited. If you have received this e-mail
>         transmission in error, please notify sender by e-mail and then
>         delete this message from your inbox. ____
>
>     Уведомление о конфиденциальности: это электронное сообщение и любые
>     документы, приложенные к нему, могут содержать конфиденциальную
>     информацию. Настоящим уведомляем Вас о том, что если это сообщение
>     не предназначено Вам, использование, копирование или распространение
>     информации, содержащейся в настоящем сообщении, а также
>     осуществление любых действий на основе этой информации строго
>     запрещено. Если Вы получили это сообщение по ошибке, пожалуйста,
>     сообщите об этом отправителю по электронной почте и удалите это
>     сообщение. Confidentiality notice: This e-mail transmission and any
>     attachments included may contain confidential information. If you
>     are not the intended recipient, you are hereby notified that any
>     disclosure, copying, distribution, or reliance upon the content of
>     this e-mail is strictly prohibited. If you have received this e-mail
>     transmission in error, please notify sender by e-mail and then
>     delete this message from your inbox.
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
> São Gonçalo, RJ - Brasil
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Amos Jeffries
Administrator
On 24/08/18 9:05 AM, Rodrigo Cunha wrote:
> Tks, you have how-to for configure transparent proxy in squid current
> version or in old versions to https?I want test in my envirimont lab.
>

That would be the SSL-Bump features I mentioned to you the other day.
The latest info is at
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent squid configuration problem.

Зубарев Александр Александрович
In reply to this post by L.P.H. van Belle

Thank you, Louis!

 

I’ve dowloaded Squid v. 4.2 from Sid, rebuilded it and configured to use ssl_bump  for whitelisted websites at step 2 (apple.com, google.com, etc.).

Without bumping some sites that using round-robin were unavailable with “SECURITY ALERT: Host header forgery detected…”

Now all is working at test environment.

 

I think thread is closed, thanks for help! It was cool!

 

From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 5:22 PM
To: [hidden email]
Subject: Re: [squid-users] Transparent squid configuration problem.

 

If i may suggest..

 

Use the squid version from debian sid.

Rebuilding these to stretch isnt that hard.

 

add  the sid sources, run : apt-get update

apt-get build-dep squid

apt-get source squid -b

then create a file repo ( or http repo ) and install squid.


or, if you dont want to rebuild them. you can get them here.

A squid 4.1 and 4.2 are available for Stretch im using now the 4.2 version.

 

If thats no option then have a look at https://wiki.squid-cache.org/Features/SslPeekAndSplice 

See the configuration example, that a good example. 

Change "bank" in habr.com   ;-) 

 

 

Greetz,

 

Louis

 


Van: ??????? ????????? ????????????? [[hidden email]]
Verzonden: donderdag 23 augustus 2018 15:42
Aan: L.P.H. van Belle; [hidden email]
Onderwerp: RE: [squid-users] Transparent squid configuration problem.

Thank you, Louis!

Is there some workaround? May be I can to put that’s kind of sites without filtering?

From: squid-users <[hidden email]> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: [hidden email]
Subject: Re: [squid-users] Transparent squid configuration problem.

i noticed the following :    dig caa habr.com
;; ANSWER SECTION:
habr.com.               3600    IN      CAA     0 iodef "[hidden email]"
habr.com.               3600    IN      CAA     0 issue "comodoca.com"

So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.

Greetz,

Louis


Van: squid-users [[hidden email]] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: [hidden email]
Onderwerp: [squid-users] Transparent squid configuration problem.

Hi! I have some problems with configuration of squid.

What I need:

http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains

I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.

When I tried to connect to some websites like a https://habr.com I have  got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.

Here is my squid.conf, cache.log, access.log and iptables script.

Please help! J

Squid.conf:

dns_v4_first on

acl network src 10.84.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here

acl CONNECT method CONNECT

http_access deny blacklist

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

shutdown_lifetime 1 second

cache.log:

Maximum Resident Size: 123312 KB

Page faults with physical i/o: 7

2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log

2018/08/23 16:19:27 kid1| Open FD UNSTARTED     6 DNS Socket IPv6

2018/08/23 16:19:27 kid1| Open FD READ/WRITE    7 DNS Socket IPv4

2018/08/23 16:19:27 kid1| Open FD UNSTARTED    10 IPC UNIX STREAM Parent

2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...

2018/08/23 16:19:32 kid1| Service Name: squid

2018/08/23 16:19:32 kid1| Process ID 1209

2018/08/23 16:19:32 kid1| Process Roles: worker

2018/08/23 16:19:32 kid1| With 65535 file descriptors available

2018/08/23 16:19:32 kid1| Initializing IP Cache...

2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6

2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7

2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf

2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log

2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log

2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

2018/08/23 16:19:32 kid1| Store logging disabled

2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects

2018/08/23 16:19:32 kid1| Target number of buckets: 1008

2018/08/23 16:19:32 kid1| Using 8192 Store buckets

2018/08/23 16:19:32 kid1| Max Mem  size: 262144 KB

2018/08/23 16:19:32 kid1| Max Swap size: 0 KB

2018/08/23 16:19:32 kid1| Using Least Load store dir selection

2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid

2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.

2018/08/23 16:19:32 kid1| HTCP Disabled.

2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16

2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0

2018/08/23 16:19:32 kid1| Adaptation support is off.

2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9

2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41

2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41

2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...

2018/08/23 16:19:32| pinger: ICMP socket opened.

2018/08/23 16:19:32| pinger: ICMPv6 socket opened

2018/08/23 16:19:32| Pinger exiting.

2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects

Accesslog:

1535030545.214      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

1535030545.442    608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -

1535030545.442    617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.717    422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -

1535030545.879     36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html

1535030546.522     77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.623     95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -

1535030546.625      0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.

Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users