Search squid archive

Config audit for 3.5.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey all.

Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to see if there's anything glaring that I'm missing/have misconfigured.  My setup is squid is running on a router, one nic external, one nic internal.  This is running as a transparent proxy with iptables doing a redirect to ports 3128 and 3129.  Config below:

#############################################################
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https

acl CONNECT method CONNECT
acl broken_sites dst 96.16.0.0/15
<others redacted>
acl broken_sites dst 54.160.0.0/12
acl allowed_sites url_regex "/opt/etc/squid/url.txt"
acl all_others dst all
acl SSL method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager

http_access allow allowed_sites
http_access allow broken_sites

http_access deny all_others
http_access allow localnet
http_access allow localhost

http_access deny all
icp_access deny all


sslproxy_cert_error allow broken_sites
sslproxy_cert_error deny all

sslproxy_options ALL
acl p3129 myportname 3129
acl step1 at_step SslBump1
ssl_bump peek step1
#ssl_bump splice broken_sites
ssl_bump bump p3129


http_port 192.168.1.253:3128 intercept
https_port 192.168.1.253:3129 intercept ssl-bump cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

always_direct allow all

logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh %ssl::>cert_subject

access_log syslog:daemon.info common

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

icp_port 3130

coredump_dir /opt/var
#############################################################

My goal has been to at least get the domain logged on any https access, but alas some sites show:

Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - - [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200 401 TCP_TUNNEL:ORIGINAL_DST -

Thanks for the look see...trying to keep current.

James 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux