| Hi , i have squid that is working on 3.5 . traffic of t 80 and 443 traffic to Squid via IPTables. Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients. we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept. current versions we have : · Squid 3.5.19 · C-ICAP 0.4.2 · SquidclamAV 6.15 · ClamAV 0.99.2 ===================== here is squid.conf : # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access allow localhost manager http_access deny manager # Squid normally listens to port 3128 http_port 3127 http_port 3128 intercept coredump_dir /var/cache/squid visible_hostname test1 cache_log /opt/var/log/squid/cache_log cache_access_log /opt/var/log/squid/access_log cache_effective_user squid cache_effective_group squid icap_enable on icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all acl test-header dstdomain test.com request_header_add X-TEST-GUID TEST test-header #Custom Error Pages error_directory /opt/www/squid # Squid listen Port https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE # SSL Bump Config always_direct allow all ssl_bump server-first all sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB sslcrtd_children 32 startup=5 idle=1 sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS cache_dir aufs /var/cache/squid 40000 16 256 store_dir_select_algorithm round-robin minimum_object_size 0 KB maximum_object_size 96 MB memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off cache_mem 1500 MB buffered_logs on half_closed_clients off dns_nameservers 10.192.0.1 ======================================================= i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) . thank you |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
