how to go from connect/tunnel in squid4 ->GET

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

how to go from connect/tunnel in squid4 ->GET

L A Walsh
I had a version of this working in squid3.x, but it didn't work
for some sites and didn't work well with a newer Opera, but did
ok with an older FF-clone.

I bumped to squid4 a few months ago, but stil haven't gotten to the point
where I can see and cache individual requests and following config examples
@ https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit,
I'm feeling rather clueless as to what I'm missing.

If someone could throw a few hints/clueballs my way I'd really appreciate
knowing what I'm doing wrong.

My port line looks like (it's all 1 line).
http_port ishtar.sc.tlinx.org:8118 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
tls-cert=/etc/squid/ssl_cert/myCA.pem
options=SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=secp521r1,/etc/squid/ssl_cert/dhparam-4096.pem

myCA.pem contains both private+public sigs.  I generated a separate
dhparam file, but don't know if I was supposed to include the curve
type in the generation command or if it only uses that later.

I pre-generated the cert dir and it seems to be running, but I don't
see any certs appearing in the dir


Looking at squid w/ps, I see:
root     56805     1  0 04:28 ?        00:00:00 /usr/sbin/squid
squid    56807 56805 42 04:28 ?        00:00:03 (squid-1) --kid squid-1
squid    56809 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56810 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56811 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56812 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56813 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56814 56807  0 04:28 ?        00:00:00 (logfile-daemon)
/var/log/squid/access.log
squid    56815 56807  0 04:28 ?        00:00:00 (pinger)

Any ideas where I might be missing things?  I can decomment and
send the active lines from the config file if that would help.

Thanks for any pointers...





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to go from connect/tunnel in squid4 ->GET

Eliezer Croitoru
Hey,

I'm not sure I understand the scenario and the issue.
From the wiki page you quoted:
- https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

I understand you are trying to intercept ssl connections but it's not clear if any traffic is being intercepted or not.
If possible provide the:
- OS and distribution
- "squid -v" output
- some of the access.log that might provide more details on if the traffic is passing or not thru the proxy
- if linux then iptables rules
- if possible the whole squid.conf (remove or obscure any private details)

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of L A Walsh
Sent: Thursday, November 29, 2018 19:44
To: [hidden email]
Subject: [squid-users] how to go from connect/tunnel in squid4 ->GET

I had a version of this working in squid3.x, but it didn't work
for some sites and didn't work well with a newer Opera, but did
ok with an older FF-clone.

I bumped to squid4 a few months ago, but stil haven't gotten to the point
where I can see and cache individual requests and following config examples
@ https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit,
I'm feeling rather clueless as to what I'm missing.

If someone could throw a few hints/clueballs my way I'd really appreciate
knowing what I'm doing wrong.

My port line looks like (it's all 1 line).
http_port ishtar.sc.tlinx.org:8118 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB tls-cert=/etc/squid/ssl_cert/myCA.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE  tls-dh=secp521r1,/etc/squid/ssl_cert/dhparam-4096.pem

myCA.pem contains both private+public sigs.  I generated a separate
dhparam file, but don't know if I was supposed to include the curve
type in the generation command or if it only uses that later.

I pre-generated the cert dir and it seems to be running, but I don't
see any certs appearing in the dir


Looking at squid w/ps, I see:
root     56805     1  0 04:28 ?        00:00:00 /usr/sbin/squid
squid    56807 56805 42 04:28 ?        00:00:03 (squid-1) --kid squid-1
squid    56809 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56810 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56811 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56812 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56813 56807  0 04:28 ?        00:00:00 (security_file_certgen)
-s /var/cache/squid/lib/ssl_db -M 64MB
squid    56814 56807  0 04:28 ?        00:00:00 (logfile-daemon)
/var/log/squid/access.log
squid    56815 56807  0 04:28 ?        00:00:00 (pinger)

Any ideas where I might be missing things?  I can decomment and
send the active lines from the config file if that would help.

Thanks for any pointers...





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users