Sorry for the noise - I figured it out. HTTPS was completely dead which made me wonder if squid was working properly. It turns out I had some folder permission issues. I needed to chmod -R 777 /var/lib/ssl_db. I guess lack of permissions to that directory caused cert generation to fail and HTTPS to break..Thanks for reading ----- Original Message ----- From: "Michael Monette" <mmonette@xxxxxxxx> To: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Wednesday, June 10, 2015 10:25:21 AM Subject: Re: Squid, Gmail.com and HSTS. Hi again, I finally had some time to get back into this, been a busy couple weeks. I compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and now things seem to be working better with ssl::servername. But for some reason I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is getting their certificate from the real sites and I don't really know why because it's the same config as before. Here's a small capture of the logs: 1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html 1433945978.918 306 10.117.67.157 TCP_MISS/302 658 GET http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 - 1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.972 1068 10.117.67.157 TCP_MISS/204 719 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945982.006 100 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html 1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem when I had been working on this a couple weeks and I was able to get myself out of it by messing with the bump steps, but I can't seem to figure it out this time(or I just can't remember). Hoping for some guidance or hints. Here's my log again: # cat /etc/squid/squid.conf ~ debug_options ALL,9 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump bump step2 all ssl_bump bump step3 all acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com #acl bl1 url_regex -i ^http(s)?://gmail.com #acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.* #acl bl3 url_regex -i ^http(s)?://moz.com.* #acl bl4 url_regex -i moz.com deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless. http_reply_access deny bl1 # useless #http_access deny bl1 #http_access deny bl1 CONNECT http_access allow localnet http_access allow localhost http_access allow all http_port 3128 accel vhost allow-direct #https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_options NO_SSLv2 sslproxy_options NO_SSLv3 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 #cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ----- Original Message ----- From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx> To: "Michael Monette" <mmonette@xxxxxxxx> Cc: "squid-users" <squid-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Wednesday, May 27, 2015 7:14:57 PM Subject: Re: Squid, Gmail.com and HSTS. On 28/05/2015 6:33 a.m., Michael Monette wrote: > Yeah I don't know what I am doing wrong but I don't have these ACL types..Or I am somehow not copy & pasting properly: > > FATAL: Invalid ACL type 'ssl::server_name' > FATAL: Bungled /etc/squid/squid.conf line 54: acl nobumpsites ssl::server_name .google.com > Squid Cache (Version 3.5.4): Terminated abnormally. > CPU Usage: 0.005 seconds = 0.003 user + 0.002 sys > Maximum Resident Size: 24096 KB > Page faults with physical i/o: 0 > Squid restarted > [root@ottt-corp-paz-squid-1 squid-3.5.4]# squid -v > Squid Cache: Version 3.5.4 > Service Name: squid > configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-included-ltdl' --enable-ltdl-convenience > You are missing the --with-openssl --enable-ssl-crtd options on this build. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
