|
Can anyone point me to a deep dive or something like that about how ssl_bump and peek/splice etc work? The more technical the better. I don’t want to ask a ton of questions about some of the errors I’m getting without fully understanding
what is going on. I currently have squid working almost the way I want it, with just a few remaining issues. One of them being is that with ssl sites I seem to get a lot of “not private, cert authority” messages then I have to add that site to an acl to
not be bumped. Regarding my first question, I want to understand why. My second question I think is a quickie. Can you run 2 log files? Reason being is that I use squidanalyzer and it only reads the standard log format. But there are better log formats for what I’m doing. I’d like to keep dual logs while
I work on my own analyzer that reads that log file. You can see the logformat line commented out along with some other log lines.
Thanks much Here is my current working config. #Access Lists acl internal src 192.168.200.0/21 acl wireless src 192.168.100.0/23 #Ports allowed through Squid acl Safe_ports port 80 acl Safe_ports port 443 acl SSL_ports port 443 acl CONNECT method CONNECT #acls from blacklist acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl" acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl" acl china dst -n "/etc/squid3/acls/ccd-china.acl" acl india dst -n "/etc/squid3/acls/ccd-india.acl" acl iran dst -n "/etc/squid3/acls/ccd-iran.acl" acl nigeria dst -n "/etc/squid3/acls/ccd-nigeria.acl" acl pakistan dst -n "/etc/squid3/acls/ccd-nigeria.acl" acl romania dst -n "/etc/squid3/acls/ccd-romania.acl" acl russia dst -n "/etc/squid3/acls/ccd-russia.acl" acl syria dst -n "/etc/squid3/acls/ccd-syria.acl" acl ukraine dst -n "/etc/squid3/acls/ccd-ukraine.acl" acl uzbekistan dst -n "/etc/squid3/acls/ccd-uzbekistan.acl" acl ips dst -n "/etc/squid3/acls/broken_ips.acl" #allow/deny http_access allow allowed http_access allow ips http_access deny prime http_access deny china http_access deny india http_access deny iran http_access deny nigeria http_access deny pakistan http_access deny romania http_access deny russia http_access deny syria http_access deny ukraine http_access deny uzbekistan http_access allow internal http_access allow wireless http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all #Bumping acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt" #ssl_bump peek all ssl_bump peek !broken_sites ssl_bump splice all #ssl_bump splice !broken_sites sslproxy_capath /etc/ssl/certs sslcrtd_program /lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB sslcrtd_children 32 startup=5 idle=1 #logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh #access_log syslog:daemon.info mine #access_log daemon:/var/log/squid3/test.log mine #intercept http_port 3128 intercept https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE #nameservers dns_nameservers 192.168.201.1 8.8.8.8 #WCCPv2 items wccp_version 2 wccp2_router 192.168.200.73 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 password=LNP1 wccp2_service dynamic 70 password=LNP1 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443 Bruce Markey | Network Security Analyst STEINMAN COMMUNICATIONS 717.291.8758 (o)
| bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx 8 West King St | PO Box 1328,
Lancaster, PA 17608-1328 |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
