> Fundamentally, my intent is to set up Squid for home use to block > advertising, malware, and in particular, perform content adaptation. > One of my specific goals is to modify search URL paths to restrict > explicit search returns (e.g. affixing "&safe=active" to any Google > search path) Hi David, I did some work to filter google explicit search by DNS hijacking and tinyproxy I redirect google.* to nosslsearch.google.com and use my modified version of tinyproxy, which transparently intercepts *only* google traffic for now. I did it for an embedded platform. If you'd like to check it out and test it: https://github.com/polaco1782/tinyproxy 2014-07-08 23:17 GMT-03:00 David Marcos <davem.business@xxxxxxxxx>: > Hi, > > I have been attempting to configure SSL bumping with Squid v3.3.8. I > have a well configured Squid proxy for HTTP and HTTP Intercept > proxying. I am now trying to expand the configuration to bump SSL > connections. I believe I have the basics of the configuration correct > for both direct HTTPS proxying as well as intercepted HTTPS, but am > having a few issues that I would appreciate some input on. > Specifically: > > a. HTTPS Page Rendering: Some HTTPS pages load fine. However, I > have found that if I try to login to online banking or other secure > pages that either (1) the page does not render properly (I get flat, > unorganized text) or (2) the page simply does not load. With respect > to the latter, some pages simply bring me right back to the login > page; there seems to be some kind of behind-the-scenes redirection > that is being rejected and preventing logging in. What > recommendations might anyone have to tweak my configuration to address > these issues? > > b. HTTP Strict Transport Security (HSTS): Some pages flat-out > reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure > aggravates the issue. Is there a way to configure Squid to get around > HSTS? (Yes, I know this may be a dumb question given how HSTS works, > but would appreciate any insight.) > > Fundamentally, my intent is to set up Squid for home use to block > advertising, malware, and in particular, perform content adaptation. > One of my specific goals is to modify search URL paths to restrict > explicit search returns (e.g. affixing "&safe=active" to any Google > search path). I have additionally configured ICAP with SquidClamav, > multiple ACLs for blocking of ads and malware, and SquidGuard for > additional domain and url blocking. SquidGuard is also successfully > manipulating *unencrypted* Google, Yahoo, and Bing URL paths to insert > commands to suppress explicit search returns. (I should note that > when I tested out SSL bumping, I disabled ICAP, Squidguard, and ACLs > for blocking of ads and malware; the issues described above > persisted.) > > Below is my squid.conf file to help out. > > Thanks in advance, > > Dave > > #########BEGIN FILE############# > hosts_file /etc/hosts > visible_hostname proxyserver > shutdown_lifetime 5 seconds > coredump_dir /tmp > > > dns_nameservers 192.168.1.1 208.67.222.222 208.67.220.220 > half_closed_clients off > negative_ttl 0 > negative_dns_ttl 2 minutes > > http_port 127.0.0.1:3128 > > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certs/cert.crt > key=/etc/squid3/certs/cert.key > > http_port 192.168.1.1:3129 intercept > > https_port 192.168.1.1:3130 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/certs/cert.crt key=/etc/squid3/certs/cert.key > > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB > sslcrtd_children 5 > > udp_incoming_address 192.168.1.1 > pinger_enable off > forwarded_for delete > via off > > memory_replacement_policy heap GDSF > cache_replacement_policy heap LFUDA > maximum_object_size_in_memory 1 MB > minimum_object_size 0 KB > maximum_object_size 64 MB > memory_pools off > cache_mem 256 MB > cache_dir aufs /disk/squid-cache 25000 32 512 > cache_swap_low 95 > cache_swap_high 97 > ipcache_size 10240 > fqdncache_size 2048 > quick_abort_min 0 KB > quick_abort_max 0 KB > max_filedescriptors 4096 > read_ahead_gap 512 KB > > client_lifetime 6 hours > connect_timeout 10 seconds > > log_icp_queries off > buffered_logs on > debug_options ALL,1 > logformat squid %tg %6tr %>A %Ss/%03>Hs UA=%{User-Agent}>h > XFF=%{X-Forwarded-For}>h CKE=- %rm %ru %un %Sh/%<A %mt BYTES=%<st > access_log stdio:/var/log/squid/access.log squid > cache_log /var/log/squid/cache.log > cache_store_log none #/var/log/squid/store.log > > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_encode off > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > icap_service sqclamav_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > adaptation_access sqclamav_req allow all > icap_service sqclamav_resp respmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > adaptation_access sqclamav_resp allow all > > refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 10080 90% 43200 > override-expire ignore-no-store ignore-private > refresh_pattern -i \.(iso|avi|wav|mp3|m3u|mp4|mpeg|swf|flv|x-flv)$ > 43200 90% 259200 override-expire ignore-no-store ignore-no-cache > ignore-private > refresh_pattern -i > \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|pptx|doc|docx|xls|xlsx|tiff)$ > 10080 90% 43200 override-expire ignore-no-store ignore-private > refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 > refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 > refresh_pattern -i exe$ 0 50% 259200 > refresh_pattern -i zip$ 0 50% 259200 > refresh_pattern -i tar\.gz$ 0 50% 259200 > refresh_pattern -i tgz$ 0 50% 259200 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (\.cgi$|/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > acl SSL_ports port 443 21 563 445 1494 2598 5006 > acl Safe_ports port 21 80 443 563 70 210 280 488 591 777 1025-65535 > acl purge method PURGE > acl CONNECT method CONNECT > acl FTP proto FTP > > acl lan src 192.168.1.0/24 > acl vpn src 192.168.12.0/24 > acl to_lan dst 192.168.1.0/24 > acl to_vpn dst 192.168.12.0/24 > > acl malware_stinks dstdomain > "/disk/squidguard/blacklist_acls/suspiciousdomains_Medium.txt" > acl ad_regex url_regex -i > "/disk/squidguard/blacklist_acls/ad_block_easylist.txt" > acl privacy_regex url_regex -i > "/disk/squidguard/blacklist_acls/privacy_easylist.txt" > deny_info http://www.lan/malware.html malware_stinks > deny_info http://www.lan/adregex.html ad_regex > deny_info http://www.lan/privacy.html privacy_regex > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access deny malware_stinks > http_access deny ad_regex > http_access deny privacy_regex > > http_access allow localhost manager > http_access deny manager > http_access allow localhost purge > http_access deny purge > http_access allow FTP localhost > http_access allow FTP lan > http_access allow FTP vpn > http_access allow lan > http_access allow to_lan > http_access allow vpn > http_access allow localhost > > http_access deny all > > http_reply_access allow all > > icp_access allow lan > icp_access allow vpn > icp_access deny all > > snmp_access allow lan > snmp_access allow vpn > snmp_access deny all > > htcp_access allow lan > htcp_access allow vpn > htcp_access deny all > > always_direct allow lan > always_direct allow vpn > > ssl_bump none localhost > ssl_bump server-first lan > ssl_bump server-first vpn > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > > request_header_replace Accept */* > request_header_replace Accept-Encoding gzip > request_header_replace Accept-Language en > request_header_replace From > request_header_replace Referer > request_header_replace Cookie > request_header_replace Cookie2 > > request_header_add DNT 1 > > request_header_access Allow allow all > request_header_access Authorization allow all > # corresponds to above replace acl > request_header_access From deny !to_lan > # corresponds to above replace acl > request_header_access Referer deny !to_lan > request_header_access WWW-Authenticate allow all > request_header_access Proxy-Authorization allow all > request_header_access Proxy-Authenticate allow all > request_header_access Content-Encoding allow all > request_header_access Content-Length allow all > request_header_access Content-Type allow all > request_header_access Date allow all > request_header_access Expires allow all > request_header_access Host allow all > request_header_access If-Modified-Since allow all > request_header_access Last-Modified allow all > request_header_access Location allow all > request_header_access Pragma allow all > # corresponds to above replace acl > request_header_access Accept deny !to_lan > request_header_access Accept-Charset deny !to_lan > # corresponds to above replace acl > request_header_access Accept-Encoding deny !to_lan > # corresponds to above replace acl > request_header_access Accept-Language deny !to_lan > request_header_access Content-Language allow all > request_header_access Mime-Version allow all > request_header_access Retry-After allow all > request_header_access Title allow all > request_header_access Connection allow all > request_header_access Proxy-Connection allow all > request_header_access User-Agent allow all > request_header_access Other allow all > request_header_access Cookie allow all > request_header_access Cookie2 allow all > # Corresponds to DNT header add/replace above > request_header_access DNT deny all > request_header_access All deny !to_lan > > reply_header_access Allow allow all > reply_header_access Authorization allow all > reply_header_access Proxy-Authorization allow all > reply_header_access Proxy-Authenticate allow all > reply_header_access Content-Encoding allow all > reply_header_access Content-Length allow all > reply_header_access Content-Type allow all > reply_header_access Date allow all > reply_header_access Expires allow all > reply_header_access Host allow all > reply_header_access If-Modified-Since allow all > reply_header_access Last-Modified allow all > reply_header_access Location allow all > reply_header_access Pragma allow all > reply_header_access Accept allow all > reply_header_access Accept-Charset allow all > reply_header_access Accept-Encoding allow all > reply_header_access Accept-Language allow all > reply_header_access Content-Language allow all > reply_header_access Mime-Version allow all > reply_header_access Retry-After allow all > reply_header_access Title allow all > reply_header_access Connection allow all > reply_header_access User-Agent allow all > reply_header_access Other allow all > reply_header_access Set-Cookie allow all > reply_header_access Set-Cookie2 allow all > reply_header_access Transfer-Encoding allow all > reply_header_access Strict-Transport-Security allow all > reply_header_access DNT allow all > > reply_header_access WWW-Authenticate deny !to_lan > reply_header_access Server deny !to_lan > reply_header_access Link deny !to_lan > reply_header_access All deny !to_lan > > ## SquidGuard > # This sets up 10 SquidGuard programs; 5 ready-to-go; 10 > idled-and-prepped-to-go; > # and threading for a total of 15 SquidGuard handlers available to > tackle blocking > # Note *do not* use the concurrency option; it crashes SquidGuard > url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf > url_rewrite_children 15 startup=5 idle=10 > url_rewrite_bypass off > url_rewrite_access allow all > ##########END FILE################
