On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote: > Hi > > I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching). > > To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) . > I´m using the site https://revoked.grc.com/ to test my config. > To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl. > Converted the format of the crl from DER to pem and inserted it my squid.conf "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". > > I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is revoked in the crl. > > But why squid seems to ignore the crlfile option / file ? Because it is only relevant on http(s)_port when there is TLS client certificate authentication being verified. You do not have that configured. > Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available. It is not even loaded unless the clientca= is configured. Which turns on client cert authentication. If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead. > #config > http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > icp_port 0 This is a default, remove the icp_port line. > dns_v4_first on > pid_filename /var/run/squid/squid.pid This is a default, remove the pid_filename line. > cache_effective_user proxy > cache_effective_group proxy Check your build options (squid -v), your proxy is built to use the account 'squid'. It is usually a good idea to stick with the > error_default_language de-de > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons > visible_hostname pfsense visible_hostname needs to be FQDN and publicly resolvable. It is the DNS hostname people use to access your proxy for thise icons you configured (amongst other things). > cache_mgr admin@xxxxxxxxxxxxxxxxxx > access_log /var/squid/logs/access.log > cache_log /var/squid/logs/cache.log > cache_store_log none This is a default, remove the cache_store_log line. > netdb_filename /var/squid/logs/netdb.state > pinger_enable on > pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger This is probably a default too, if so remove the pinger lines. It will run unless disabled. > sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 > sslcrtd_children 5 > > logfile_rotate 7 > debug_options rotate=7 > shutdown_lifetime 3 seconds > acl localnet src local.network.range > forwarded_for on This is a default, remove the forwarded_for line. > uri_whitespace strip > > acl dynamic urlpath_regex cgi-bin ? > cache deny dynamic Remove the above if you want to actually cache much content. Squid has been okay with caching this stuff since 2.7. > > acl allsrc src all Don't. Really. "all" is a built-in ACL, just use it. > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 > acl sslports port 443 563 > > acl purge method PURGE > acl connect method CONNECT > > acl HTTP proto HTTP > acl HTTPS proto HTTPS > acl allowed_subnets src local.network.range You defined localnet to that already. Meaning you can replace all uses of "allowed_subnets" with "localnet". > acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' > http_access allow manager localhost > > http_access deny manager > http_access allow purge localhost > http_access deny purge Best practice is now to move all the above http_access lines with their slow and DoS-vulnerable ACL processing down below the CONNECT line following... > http_access deny !safeports > http_access deny CONNECT !sslports > > request_body_max_size 0 KB Seriously? POST and PUT are forbidden to send data anywhere? > delay_pools 1 > delay_class 1 2 > delay_parameters 1 -1/-1 -1/-1 > delay_initial_bucket_level 100 > delay_access 1 allow allsrc Hmm. A delay pool that does not do anything, and every byte of traffic is processed through it. Completely useless waste of CPU cycles and memory. Remove all of the above lines. > > always_direct allow whitelist You don't use cache_peer. The above line is useless. Remove it. > ssl_bump none whitelist Do not mix deprecated bumping modes with non-deprecated. Use "splice" instead of "none" in the above rule... Then notice that dstdom_regex ACL will not work in ssl_bump. So you may as well remove the line entirely. Your peek/splice rules below with "bypass" ACL seem to be doing what you intended this to do. > # Package Integration > url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf > url_rewrite_bypass off > url_rewrite_children 16 startup=8 idle=4 concurrency=0 > > # Custom options before auth > #debug_options all,1 20,0 36,0 41,0 47,0 79,0 90,0 92,0 > debug_options 83,6 > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 Note that step2 and step3 are not being used. You can remove those lines. > > acl bypass ssl::server_name .google.de .sparkasse.de .postbank.de > acl wupdate ssl::server_name .windowsupdate.com .microsoft.com > > ssl_bump peek step1 > ssl_bump peek bypass wupdate > ssl_bump splice bypass wupdate > ssl_bump bump all > > sslproxy_cert_error allow wupdate Note that ssl::server_name probably won't work in this sslproxy_* rules. > sslproxy_cert_error deny all > > # Always allow access to whitelist domains > http_access allow whitelist > # Setup allowed acls > # Allow local network(s) on interface(s) > http_access allow allowed_subnets > http_access allow localnet Note that localnet == allowed_subnets, so the allowed_subnets line can be removed. > # Default block all to be sure > http_access deny allsrc Really s/allsrc/all/ <snip> > > > #build options > configure options: '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/local/sbin' '--sbindir=/usr/pbi/squid-amd64/local/sbin' '--datadir=/usr/pbi/squid-amd64/local/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-amd64/local/etc/squid' '--with-logdir=/var/squid/logs' '--with-pidfile=/var/run/squid/squid.pid' > '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' > '--enable-build-info' <snip> build-info requires a string. Whoever provided this package needs to fix that. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
