Shiva Raman wrote:
Hi all
I am running a squid1->DG->squid2 sandwich setup and i am facing
the following problem.
When i give "never_direct allow all" in squid1.conf , i am not able to
access any https sites.
Without the above configuration line , all users can access https
sites and even sites denied in the Content filter. For eg: suppose
http://www.redhat.com is a banned site in content filter, i am able to
access https://www.redhat.com which byepasses the content filter and
is served by squid2.
My requirement is to allow all https traffic through this setup but
the requests should flow through content filter and then to squid2
for serving. Is it possible to tell squid1 to pass the https traffic
to the content filter and then to squid2?
Your requirement should work, but the intermediate (DG) appears to be
failing.
The problems sounds very much like others recently where squidguard was
not letting HTTPS through due to its configuration.
Configure squid1 with "never_direct all" then attempt to resolve WHY
*DG* is denying CONNECT requests to port 443 through. You can trace the
requests making it into squid1 through the squid1 access.log and the
requests making it out to the internet via the squid2 access.log.
Your squid configs have serious security issues, but not related to the
HTTPS problem you mention. Notes inline.
The Ports used here are 3128->8080->8081 .
Following is the configuration of my
squid1.conf
----------------
http_port 3128
cache_peer 127.0.0.1 parent 8080 0 no-query proxy-only default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
##Changed for user authentication
auth_param basic program /usr/lib/squid/pam_auth
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0
Um, these are essentially the same. Any reason you are duplicating? The
dst differs only in that it forces rDNS lookup before matching.
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
## Change for deny caching
??
never_direct allow all
no_cache deny all
Should be "cache deny all" nowadays.
cache_access_log /var/log/squid/access.log
Should be "access_log /var/log/squid/access.log" nowadays.
visible_hostname 192.168.10.175
visible_hostname is supposed to be a reversible DNS _hostname_.
acl students src 192.168.10.2-192.168.10.25
acl ttt src 192.168.10.25-192.168.10.254
acl test dstdom_regex .yahoo.com .google.* .org
acl test1 dstdom_regex .sun.* .oracle.*
acl test2 dstdom_regex .rediff.*
acl time1 time 00:00-23:00
acl time2 time 09:00-23:00
acl lpdf urlpath_regex pdf$ mp3$ gif$ gz$
acl ljob url_regex -i ^http://*job*
acl usr1 proxy_auth user3 user1
http_access allow students usr1
So (students AND ('user1' OR 'user3')) are allowed to do anything
without limit?
Methinks the trio of deny lines below (excluding deny all) should be
above this line.
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
Squid2.conf
---------------
http_port 8081
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow Safe_ports
Anything which gets past the "deny !Safe_ports" safety line (good using
it at the top BTW)
Will make the above line is essentially "http_access allow all"
* coupled with the squid1 giving out publicly the IP of this box
* coupled with a wildcard "http_port 8081"
Results in this squid being an open-proxy for anyone who cares to scan it.
http_access allow SSL_ports
http_access allow our_networks
http_access allow localhost
http_access deny all
None of these have any effect. see above.
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
DON'T use cache_effective_user unless you really have to.
On top of that its _far_ better to leave the group security to the OS,
even if you are forced to set cache-effective_user.
visible_hostname 192.168.10.175
Same deal as for squid1.
coredump_dir /usr/local/squid/var/cache
Thanks for any help
Regards
Shiva Raman
Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
