Search squid archive

Re: Squid, Gmail.com and HSTS.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for the noise - I figured it out. 

HTTPS was completely dead which made me wonder if squid was working properly. It turns out I had some folder permission issues. I needed to chmod -R 777 /var/lib/ssl_db. I guess lack of permissions to that directory caused cert generation to fail and HTTPS to break..Thanks for reading

----- Original Message -----
From: "Michael Monette" <mmonette@xxxxxxxx>
To: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, June 10, 2015 10:25:21 AM
Subject: Re:  Squid, Gmail.com and HSTS.

Hi again,

I finally had some time to get back into this, been a busy couple weeks. I compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and now things seem to be working better with ssl::servername. But for some reason I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is getting their certificate from the real sites and I don't really know why because it's the same config as before.

Here's a small capture of the logs:

1433945978.888     95 10.117.67.157 TCP_MISS/302 694 GET http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html
1433945978.918    306 10.117.67.157 TCP_MISS/302 658 GET http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 -
1433945978.994     72 10.117.67.157 TCP_MISS/204 737 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945979.147     65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945979.152     58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945979.972   1068 10.117.67.157 TCP_MISS/204 719 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png
1433945981.527     50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945981.753     52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 -
1433945982.006    100 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html
1433945983.769     55 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html


All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem when I had been working on this a couple weeks and I was able to get myself out of it by messing with the bump steps, but I can't seem to figure it out this time(or I just can't remember). Hoping for some guidance or hints.

Here's my log again:

# cat /etc/squid/squid.conf
~
debug_options ALL,9

acl localnet src 10.0.0.0/8        # RFC1918 possible internal network
acl localnet src 172.16.0.0/12        # RFC1918 possible internal network
acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump bump step2 all
ssl_bump bump step3 all

acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com
#acl bl1 url_regex -i ^http(s)?://gmail.com
#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.*
#acl bl3 url_regex -i ^http(s)?://moz.com.*
#acl bl4 url_regex -i moz.com
deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless.
http_reply_access deny bl1 # useless
#http_access deny bl1 
#http_access deny bl1 CONNECT

http_access allow localnet
http_access allow localhost

http_access allow all

http_port 3128 accel vhost allow-direct

#https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslproxy_options NO_SSLv2
sslproxy_options NO_SSLv3

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

#cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

refresh_pattern ^ftp:                1440        20%        10080
refresh_pattern ^gopher:        1440        0%        1440
refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
refresh_pattern .                0        20%        4320


----- Original Message -----
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Michael Monette" <mmonette@xxxxxxxx>
Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, May 27, 2015 7:14:57 PM
Subject: Re:  Squid, Gmail.com and HSTS.

On 28/05/2015 6:33 a.m., Michael Monette wrote:
> Yeah I don't know what I am doing wrong but I don't have these ACL types..Or I am somehow not copy & pasting properly:
> 
> FATAL: Invalid ACL type 'ssl::server_name'
> FATAL: Bungled /etc/squid/squid.conf line 54: acl nobumpsites ssl::server_name .google.com
> Squid Cache (Version 3.5.4): Terminated abnormally.
> CPU Usage: 0.005 seconds = 0.003 user + 0.002 sys
> Maximum Resident Size: 24096 KB
> Page faults with physical i/o: 0
> Squid restarted
> [root@ottt-corp-paz-squid-1 squid-3.5.4]# squid -v
> Squid Cache: Version 3.5.4
> Service Name: squid
> configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-included-ltdl' --enable-ltdl-convenience
> 

You are missing the --with-openssl --enable-ssl-crtd options on this build.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux