Bump... No comments ? On 10 February 2016 at 09:55, Alex Samad <alex@xxxxxxxxxxxx> wrote: > auth_param negotiate program /usr/bin/ntlm_auth > --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid > auth_param negotiate children 20 startup=0 idle=3 > auth_param negotiate keep_alive on > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --configfile > /etc/samba/smb.conf-squid > auth_param ntlm children 20 startup=0 idle=3 > auth_param ntlm keep_alive on > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic --configfile > /etc/samba/smb.conf-squid > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl" > acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl" > acl localnet src 10.32.80.0/24 > acl localnet_auth src 10.32.0.0/14 > acl localnet_auth src 10.172.0.0/16 > acl localnet_auth src 10.43.200.51/32 > acl localnet_guest src 10.172.202.0/24 > acl localnet_appproxy src 10.172.203.30/32 > acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl" > acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst" > acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst" > acl FTP proto FTP > acl DMZSRV src 10.32.20.110 > acl DMZSRV src 10.32.20.111 > acl MsUpdateAllowed src 10.32.70.100 > acl DirectExceptions url_regex -i > ^http://(www.|)smh.com.au/business/markets-live/.* > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl CONNECT method CONNECT > acl SQUIDSPECIAL urlpath_regex ^/squid-internal-static/ > acl AuthorizedUsers proxy_auth REQUIRED > acl icp_allowed src 10.32.20.110/32 > acl icp_allowed src 10.32.20.111/32 > acl icp_allowed src 10.172.203.30/32 > acl icp_allowed src 10.172.203.34/32 > acl windowsupdate_url url_regex -i > microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] > acl windowsupdate_url url_regex -i > windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] > acl windowsupdate_url url_regex -i > windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] > acl notwindowsupdate_url dstdomain (ctldl|crl).windowsupdate.com > http_access allow manager localhost > http_access allow manager icp_allowed > http_access deny manager > http_access allow icp_allowed > http_access allow SQUIDSPECIAL > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access allow localnet_appproxy > http_access deny !localnet_auth > http_access allow localnet_guest sblYBOveride > http_access deny localnet_guest sblMal > http_access deny localnet_guest sblPorn > http_access allow localnet_guest > http_access allow nonAuthSrc > http_access allow nonAuthDom > http_access allow sblYBOveride FTP > http_access allow sblYBOveride AuthorizedUsers > http_access deny sblMal > http_access deny sblPorn > http_access allow FTP > http_access allow AuthorizedUsers > http_access deny all > http_port 3128 > http_port 8080 > > # is there some way to combine 1 ports on the same line ? > > #http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ybsquidca.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > #http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/ybsquidca.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > cache_mem 40960 MB > cache_mgr operations.manager@xxxxxxx > cache_dir aufs /var/spool/squid 550000 16 256 > always_direct allow FTP > always_direct allow DMZSRV > always_direct allow DirectExceptions > ftp_passive off > ftp_epsv_all off > miss_access allow notwindowsupdate_url > miss_access allow MsUpdateAllowed windowsupdate_url > miss_access deny !DMZSRV windowsupdate_url > coredump_dir /var/spool/squid > range_offset_limit none windowsupdate_url > maximum_object_size none windowsupdate_url > quick_abort_min -1 > refresh_pattern -i > microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320 > 80% 129600 reload-into-ims > refresh_pattern -i > windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] > 4320 80% 129600 reload-into-ims > refresh_pattern -i > windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320 > 80% 129600 reload-into-ims > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query > no-delay allow-miss > icp_port 0 > icp_access allow icp_allowed > icp_access deny all > htcp_port 4827 > htcp_access allow icp_allowed > htcp_access deny all > acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst" > cache deny nonCacheDom > acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$ > cache deny nonCacheURL > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_header X-Authenticated-User > icap_service service_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/srv_clamav > adaptation_access service_req allow all > icap_service service_resp respmod_precache bypass=1 > icap://127.0.0.1:1344/srv_clamav > adaptation_access service_resp allow all > ipcache_size 10240 > forwarded_for delete > cache_swap_low 90 > cache_swap_high 95 > log_icp_queries off > icap_preview_enable on > icap_preview_size 1024 > httpd_suppress_version_string on > max_filedesc 8192 > delay_pools 2 > delay_class 1 1 > delay_parameters 1 1310720/2621440 > acl Delay_Domain dstdomain -i "/etc/squid/lists/delayDom.lst" > delay_access 1 deny DMZSRV > delay_access 1 allow Delay_Domain > delay_class 2 1 > delay_parameters 2 7864320/104857602 > delay_access 2 deny DMZSRV > delay_access 2 allow ALL > > #I had the ssl bump stuff commented out for now after testing > # uncommented for here > > > ## > ## # http://wiki.squid-cache.org/Features/SslPeekAndSplice > ## > > > # ssl-bump > # pick up from a file > #acl NoBump ssl::server_name "/etc/squid/lists/noSSLPeek.lst" > acl spliceOnly ssl::server_name .abc.com > > # Alex test machine > acl testIP src 10.172.208.105/32 > > # for testing > acl haveServerName ssl::server_name .nab.com.au > > > # Splice indeterminate traffic. > ssl_bump splice all > ssl_bump splice !testIP > ssl_bump splice spliceOnly > #ssl_bump splice NoBump > #ssl_bump bump haveServerName > ssl_bump bump all > ssl_bump peek all > ssl_bump splice all > > > > On 10 February 2016 at 04:36, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 9/02/2016 11:17 p.m., ksv rgh wrote: >>> @Alex, could you please share the config options that you set while >>> building squid for ssl-bumping. >> >> The build options for ssl-bump features are these: >> >> ./configure --with-openssl --enable-ssl-crtd >> >> If (and only if) you have OpenSSL installed at a non-default location >> such as /custom/path/... then use --with-openssl=/custom/path . >> >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
