On 25/04/2015 12:50 a.m., James Lay wrote: > Hey all. > > Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to > see if there's anything glaring that I'm missing/have misconfigured. My > setup is squid is running on a router, one nic external, one nic > internal. This is running as a transparent proxy with iptables doing a > redirect to ports 3128 and 3129. Config below: > > ############################################################# > acl localnet src 192.168.1.0/24 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > > acl CONNECT method CONNECT > acl broken_sites dst 96.16.0.0/15 > <others redacted> > acl broken_sites dst 54.160.0.0/12 > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > acl all_others dst all Using "dst all" is very inefficient. It requires Squid to perform DNS lookups just to answer "yes". Unless there is some unusual reason requiring that you might as well use the provided "all" ACL for faster operation. > acl SSL method CONNECT This is a bit dangerous. CONNECT does not necessarily mean SSL - even with the port 443 restriction. CONNECT could as easily contain a tunnel to email server and be pumping spam, or literally any other type of traffic to any other server. Spam emails, FTP, BitTorrent, and Skype are pretty popular protocols seen with CONNECT. So you can easily mistake security rules about SSL and create allow policies that make you vulnerable to some nasty attacks. Its also a redundant ACL definition with the default CONNECT ACL earlier. > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow manager localhost > http_access deny manager > > http_access allow allowed_sites > http_access allow broken_sites > > http_access deny all_others The above being equivalent to "deny all" makes the below rules not do anything. I dont know yoru policy, maybe you did. Consider whether that is what you expected/wanted to happen. > http_access allow localnet > http_access allow localhost > > http_access deny all > icp_access deny all > > > sslproxy_cert_error allow broken_sites > sslproxy_cert_error deny all > > sslproxy_options ALL > acl p3129 myportname 3129 This name "3129" does not match any listening port name. See below... > acl step1 at_step SslBump1 > ssl_bump peek step1 > #ssl_bump splice broken_sites > ssl_bump bump p3129 > > > http_port 192.168.1.253:3128 intercept ... in the absence of a name= parameter the default name for tis port is "192.168.1.253:3128". > https_port 192.168.1.253:3129 intercept ssl-bump > cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key > cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE ... in the absence of a name= parameter the default name for tis port is "192.168.1.253:3129". Do you see the pattern? set the name= parameter eplicitly or it becomes teh *string* value of the host:port field. > > always_direct allow all Has no use in your config. > > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:% > Sh %ssl::>cert_subject Bad: do not re-define built in format definitions please. Either use the provided format, or use a different name if you need the custom one. > > access_log syslog:daemon.info common > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (cgi-bin|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > icp_port 3130 You are initializing ICP port, but also configured "icp_access deny all". To disble ICP leave remove the icp_* directives from your config. To enable ICP, configure the icp_access to allow some sources to make queries. > > coredump_dir /opt/var > ############################################################# > > My goal has been to at least get the domain logged on any https access, > but alas some sites show: > > Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - - > [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200 > 401 TCP_TUNNEL:ORIGINAL_DST - > With interception + your custom rule using %ru you should always see raw-IP:port. If you see a TLS SNI domain in there *that* is a bug. "%ru" is explicitly asking for the client-presented CONNECT *URL*, not the server details. That "TCP_TUNNEL" will always happen whenever the protocol found on port 443 is not HTTPS. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
Thank you Amos...that's extremely helpful.
James
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users