On 18/11/2015 3:55 a.m., Patrick Flaherty wrote: > Hello, > > Here is my squid config. > > -Patrick > With this configuration Squid is relaying CONNECT messages as-is. squid has nothing to do with the crypto layer(s) inside the tunnel being setup, it is just a blind relay for the data. >From the packet trace I see a 200 status being sent by Squid to the client. So as far as Squid is concerned the tunnel setup is successfully completed. ==> Meaning those crypto problems are directly and only between the client and the server software. Nothing to do with Squid. > # Squid Proxy Configuration > > http_port 3128 > > # acl and http_access to ("whitelist.txt") > acl whitelist dstdomain "c:/squid/etc/squid/whitelist.txt" > http_access allow whitelist > > # network source of proxy traffic > acl localnet src 0.0.0.0/0.0.0.0 You have defined the *entire IPv4 Internet* as being your LAN. This is terrible in several ways: 1) the ACL definition for that should correctly be: acl localnet src ipv4 2) it would allows almost unrestricted use of your proxy by any attacker who can find it. (if it was actually working, see #4 below) 3) entire IPv4-space is not yours to own. If the intention was to not service IPv6 cleints at all, use this http_port 0.0.0.0:3128 or this if you want to continue actively sending "Access Denied" for all IPv6 clients: acl ipv4 src ipv4 http_access deny !ipv4 > > # acl directives for ports and protocols > acl http proto http > acl https proto https > acl port_80 port 80 > acl sslports port 443 > acl CONNECT method CONNECT > > # rules allowing proxy access > http_access allow http port_80 whitelist localnet > http_access allow https sslports whitelist localnet > 4) You already did "allow whitelist" with no restrictions. These controls with extra restrictions are doing nothing. > # dns servers (Change dns_nameservers to client dns servers for consistency and better performance) > dns_nameservers 8.8.8.8 8.8.4.4 Why not setup a proper *working* recursive resolver within your network? it will most probably be actually faster than sending your DNS traffic to halfway around the world and back. You can have that local resolver use 8.8.8.8/8.8.4.4 if they really are faster than your own ISPs resolver. And divert the LAN clients port 53 traffic through it if your clients insist on using other resolvers. > > # cache web pages directory > #cache_dir ufs C:/Squid/var/cache/squid 100 16 256 > cache_mem 64 MB > > # log file roll weekly > logfile_rotate 7 > > # access log rules > logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt The basic log formats are now built-in. Please do not re-define them. Squid-3 will ignore your config. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users