|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Are you see in access.log ip:443 CONNECT records? I.e., does your HTTPS traffic incoming to Squid? 11.11.15 1:45, Ahmad Alzaeem пишет: > Hi I don’t have ssl pump > > > > All my users user ip:port to have internet > > > > > > I already have ISA windows server and it works with http and https > > > > Im wondering why all complexity needed for peer https > > !!! > > > > > > Anyway hnere is squid.conf > > > > # This file is automatically generated by pfSense > > # Do not edit manually ! > > > > http_port 172.23.101.253:3128 > > icp_port 0 > > dns_v4_first on > > pid_filename /var/run/squid/squid.pid > > cache_effective_user proxy > > cache_effective_group proxy > > error_default_language en > > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons > > visible_hostname mne > > cache_mgr azaeem@xxxxxx <mailto:azaeem@xxxxxx> > > access_log /var/squid/logs/access.log > > cache_log /var/squid/logs/cache.log > > cache_store_log none > > netdb_filename /var/squid/logs/netdb.state > > pinger_enable off > > pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger > > > > logfile_rotate 2 > > debug_options rotate=2 > > shutdown_lifetime 3 seconds > > # Allow local network(s) on interface(s) > > acl localnet src 172.23.101.0/24 > > forwarded_for off > > via off > > httpd_suppress_version_string on > > uri_whitespace strip > > > > acl dynamic urlpath_regex cgi-bin ? > > cache deny dynamic > > > > cache_mem 64 MB > > maximum_object_size_in_memory 256 KB > > memory_replacement_policy heap GDSF > > cache_replacement_policy heap LFUDA > > minimum_object_size 0 KB > > maximum_object_size 4 MB > > cache_dir ufs /var/squid/cache 100 16 256 > > offline_mode off > > cache_swap_low 90 > > cache_swap_high 95 > > cache allow all > > > > # Add any of your own refresh_pattern entries above these. > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > > > #Remote proxies > > > > > > # Setup some default acls > > # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. > > # acl localhost src 127.0.0.1/32 > > acl allsrc src all > > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 > > acl sslports port 443 563 > > > > # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. > > #acl manager proto cache_object > > > > acl purge method PURGE > > acl connect method CONNECT > > > > # Define protocols used for redirects > > acl HTTP proto HTTP > > acl HTTPS proto HTTPS > > http_access allow manager localhost > > > > http_access deny manager > > http_access allow purge localhost > > http_access deny purge > > http_access deny !safeports > > http_access deny CONNECT !sslports > > > > # Always allow localhost connections > > # From 3.2 further configuration cleanups have been done to make things easier and safer. > > # The manager, localhost, and to_localhost ACL definitions are now built-in. > > # http_access allow localhost > > > > request_body_max_size 0 KB > > > > > > > > > > delay_access 1 allow allsrc > > > > # Reverse Proxy settings > > > > > > # Custom options before auth > > dns_nameservers 8.8.8.8 10.12.0.33 > > cache_peer 10.12.0.32 parent 80 0 no-query no-digest no-tproxy proxy-only > > > > # Setup allowed acls > > # Allow local network(s) on interface(s) > > http_access allow localnet > > # Default block all to be sure > > http_access deny allsrc > > > > > > > > cheers > > > > From: Yuri Voinov [mailto:yvoinov@xxxxxxxxx] > Sent: Tuesday, November 10, 2015 9:43 PM > To: Ahmad Alzaeem > Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: cache peer only forward http , not https !!! > > > > > I think, we need to take a look on your squid.conf first. > > 10.11.15 23:18, Ahmad Alzaeem пишет: > > Thank you , > > > > > > > > > > > > > > > > > Can you just guide me for the https peer directive plz ? > > > > > > > > > I can take care of https intercept > > > > > > > > > > > > > > > > > So with http , we have directive cache_peer 10.12.0.32 > > parent 8080 0 no-query no-digest > > > > > > > > > > > > > > > > > As ok > > > > > > > > > > > > > > > > > Now what about https directive ? > > > > > > > > > Can u help me > > > > > > > > > > > > > > > > > Thanks a lot a lot a lot for your help > > > > > > > > > > > > > > > > > cheers > > > > > > > > > > > > > > > > > > > > > > > > > From: squid-users > > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of > > Yuri Voinov > > > > > Sent: Tuesday, November 10, 2015 8:49 PM > > > > > To: squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > Subject: Re: cache peer only forward http , not > > https !!! > > > > > > > > > > > > > > > > > > > > > 1. You need to configure Squid with SSL Bump to capture HTTPS > > traffic. > > > > > 2. You need to configure forwarded requests with splice/no > > bump. :) > > > > > > > > > 10.11.15 22:42, Ahmad Alzaeem пишет: > > > > > > Hi Guys I want proxy and I > > > > > > > > > want it to forward http & https to remote proxy > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Does the command below enogh ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > cache_peer 10.12.0.32 parent 8080 0 no-query > > no-digest > > > > > > > > > no-tproxy > > > > > > > > > > > > > > > > > > proxy-only > > > > > No. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > or I need to add other line for https ?? > > > > > No. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > BTW the command line above work only for http not > > for https > > > > > Sure. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any help ? > > > > > > > > > *** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET. DON'T BLIND > > COPY-N-PASTE IT IN YOUR ENVIRONMENT! *** > > > > > > > > > # Privoxy+Tor acl > > > > > acl tor_url dstdom_regex "C:/Squid/etc/squid/url.tor" > > > > > > > > > # SSL bump rules > > > > > sslproxy_cert_error allow all > > > > > acl DiscoverSNIHost at_step SslBump1 > > > > > ssl_bump peek DiscoverSNIHost > > > > > acl NoSSLIntercept ssl::server_name_regex -i > > "C:/Squid/etc/squid/url.nobump" > > > > > acl NoSSLIntercept ssl::server_name_regex -i > > "C:/Squid/etc/squid/url.tor" > > > > > ssl_bump splice NoSSLIntercept > > > > > ssl_bump bump all > > > > > > > > > # Privoxy+Tor access rules > > > > > never_direct allow tor_url > > > > > > > > > # Local Privoxy is cache parent > > > > > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default > > > > > > > > > cache_peer_access 127.0.0.1 allow tor_url > > > > > cache_peer_access 127.0.0.1 deny all > > > > > > > > > As you can see, this is just example. The idea described with > > first two lines of my answer above. > > > > > This snippet works for torified sites described in tor_url > > acl. > > > > > NB: I do not guarantee this will work on your environment! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > squid-users mailing list > > > > > > > > > > > > > > > > > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > > > > > > > > > > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWQmZSAAoJENNXIZxhPexGET4IALyngp8cFZvt9hx0uv/6UU68 gNFrkv81onp5G12sgK87zpk5gdOSQBXSXCcx+fQpLNKfWRdP4FLdq0kZpXRDqLbB 70zMqir42nqT+73FNekcjw3+Csb3RQLWIPO3M4wu9RfP91NnB84BVcuay/jindhF +bNrFijg9r7iw/tS5XE8CKdvc6hzSpC66fSJ8RWMf7ieDCn+u2+g/gDai8LhpQRs /IauwO3HxsnHc8a8kTm/UYwgO/BV/Wlwn7q0YDK8hLFnoaZZLQdCluhtl/vsClpl EGKW73xR+SoNHCPjpFDrc9fSLYSOIaQPqw5XFuQkWEyN5mrGMX9DaO44vLU/OZI= =TATV -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
