Hey Ahmad, Since these apps are having issues it means that squid or them are broken or … both. The basic issue is that from one side you want to Intercept while you don't want to break the passing traffic. Squid task is to work with every piece of the OS and the traffic including parsing and "understanding" the passing traffic. The issue is that currently(3.5) squid doesn't have any way to not break HTTPS once it was intercepted and was unwrapped. The more deep issue is that many applications are using HTTP+HTTPS in a way that needs couple twists and causes security complications. It would be kind of "simple" to resolve the issue by bypassing squid SSL unwrapping. If you don't care about security and you care more about caching what is possible and not caching "everything" this is the right solution. It is possible to use a technique which will collect information about the destination HOST to be a valid HTTPS service before splicing but.. It has it's own overheads but if you care less about caching and more about the service then it's the right solution. Just to illustrate, an ACL and filtering proxy will be pretty "simple" compared to a one with caching overheads since all the resources would be dedicated to the actual decision part of the service rather then the disks IO and cached objects DB lookups. From what I remember squid 4 is supposed to have a basic option that will differentiate between STANDARD https to other protocols. I have not tested it yet but I am in still processing 4 ideas in general. Eliezer From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of --Ahmad-- Hi , i have squid that is working on 3.5 . traffic of t 80 and 443 traffic to Squid via IPTables. Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients. we have a problem in Skype of Business (Office 365) and Slack (Chat app) seems its broken from squid intercept. current versions we have : · Squid 3.5.19 · C-ICAP 0.4.2 · SquidclamAV 6.15 · ClamAV 0.99.2 ===================== here is squid.conf : # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access allow localhost manager http_access deny manager # Squid normally listens to port 3128 http_port 3127 http_port 3128 intercept coredump_dir /var/cache/squid visible_hostname test1 cache_log /opt/var/log/squid/cache_log cache_access_log /opt/var/log/squid/access_log cache_effective_user squid cache_effective_group squid icap_enable on icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all acl test-header dstdomain test.com request_header_add X-TEST-GUID TEST test-header #Custom Error Pages error_directory /opt/www/squid # Squid listen Port https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE # SSL Bump Config always_direct allow all ssl_bump server-first all sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB sslcrtd_children 32 startup=5 idle=1 sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS cache_dir aufs /var/cache/squid 40000 16 256 store_dir_select_algorithm round-robin minimum_object_size 0 KB maximum_object_size 96 MB memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off cache_mem 1500 MB buffered_logs on half_closed_clients off dns_nameservers 10.192.0.1 ======================================================= i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) . thank you |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
