Search squid archive

Re: unbound and squid not resolving SSL sites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/08/2014 1:13 p.m., squid@xxxxxxxxxxxxxxxxx wrote:
> In my network I have unbound redirecting some sites through the proxy
> server and checking authentication, If I redirect www.thisite.com it
> works corectly. However, as soon as SSL is used https://www.thissite.com
> it doesn't resolve at all. Any ideas what I have to do to enable ssl
> redirects in unbound or squid?

Handle port 443 traffic and the encrypted traffic there.
You are only receiving port 80 traffic in this config file.


There are other problems in the config file displayed. Notes inline.

> 
> squid.conf
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7        # RFC 4193 local private network range
> acl localnet src fe80::/10        # RFC 4291 link-local (directly
> plugged) machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 

You should erase all of the lines above. They are duplicated below.

> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 

NOTE: Current best practice recommendation is to have the manager access
control lines after the CONNECT one below. Saves on a couple of slow
regex calculations on certain types of DoS attacks.

> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7        # RFC 4193 local private network range
> acl localnet src fe80::/10        # RFC 4291 link-local (directly
> plugged) machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

NP: these four lines above are now occuring three times in a row in your
http_access rules. Only the first occurance will have any useful effect,
the rest just waste processing time.

> 
> external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth

What does this helper do exactly to earn the term "authentication"?
TCP/IP address alone is insufficient to verify the end-users identity.


> acl interval_auth external time_squid_auth
> http_access allow interval_auth
> http_access deny all
> http_port 80 accel vhost allow-direct
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%        0
> refresh_pattern .               0        20%     4320
> 

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux