# Example
rule allowing access from your local networks.
# Adapt to
list your (internal) IP networks from where browsing
# should be
allowed
acl localnet
src 10.0.0.0/8 #
RFC1918 possible internal network
# Example
rule allowing access from your local networks.
# Adapt
localnet in the ACL section to list your (internal) IP
networks
# from where
browsing should be allowed
http_access
allow localnet
http_access
allow localhost
http_access
allow localhost manager
http_access
deny manager
# Squid
normally listens to port 3128
http_port
3127
http_port
3128 intercept
# Leave
coredumps in the first cache dir
coredump_dir
/var/cache/squid
visible_hostname
shield.TodylInc.shield
cache_log
/opt/var/log/squid/cache_log
cache_access_log
/opt/var/log/squid/access_log
#user and
group
cache_effective_user
squid
cache_effective_group
squid
request_header_add
X-TODYL-GUID 1e46dccd2 todyl
#Custom Error
Pages
error_directory
/opt/www/squid
# Squid
listen Port
https_port
3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
key=/opt/etc/pki/squid/ca-key.pem
cert=/opt/etc/pki/squid/ca.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump
Config
always_direct
allow all
ssl_bump
server-first all
sslcrtd_program
/opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB
sslcrtd_children
32 startup=5 idle=1
##############################################
acl
DiscoverSNIHost at_step SslBump1
acl
NoSSLIntercept ssl::server_name_regex -i
"/opt/etc/squid.doms.nobump"
ssl_bump
splice NoSSLIntercept
ssl_bump peek
DiscoverSNIHost
ssl_bump bump
all
##################
#Hardening
sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
# TUNING
cache_dir
aufs /var/cache/squid 40000 16 256
store_dir_select_algorithm
round-robin
minimum_object_size
0 KB
maximum_object_size
96 MB
memory_pools
off
quick_abort_min
0 KB
quick_abort_max
0 KB
log_icp_queries
off
client_db off
cache_mem
1500 MB
buffered_logs
on
half_closed_clients
off
dns_nameservers
10.192.0.1
##################################################################
here is squid
-k parse :
[root@1e46dccd2
var]# squid -k parse
2016/06/27
08:06:08| Startup: Initializing Authentication
Schemes ...
2016/06/27
08:06:08| Startup: Initialized Authentication Scheme
'basic'
2016/06/27
08:06:08| Startup: Initialized Authentication Scheme
'digest'
2016/06/27
08:06:08| Startup: Initialized Authentication Scheme
'negotiate'
2016/06/27
08:06:08| Startup: Initialized Authentication Scheme
'ntlm'
2016/06/27
08:06:08| Startup: Initialized Authentication.
2016/06/27
08:06:08| Processing Configuration File:
/opt/etc/squid.conf (depth 0)
2016/06/27
08:06:08| Processing: acl localnet src 10.0.0.0/8 #
RFC1918 possible internal network
2016/06/27
08:06:08| Processing: http_access allow localnet
2016/06/27
08:06:08| Processing: http_access allow localhost
2016/06/27
08:06:08| Processing: http_access allow localhost
manager
2016/06/27
08:06:08| Processing: http_access deny manager
2016/06/27
08:06:08| Processing: http_port 3127
2016/06/27
08:06:08| Processing: http_port 3128 intercept
2016/06/27
08:06:08| Starting Authentication on port [::]:3128
2016/06/27
08:06:08| Disabling Authentication on port [::]:3128
(interception enabled)
2016/06/27
08:06:08| Processing: coredump_dir /var/cache/squid
2016/06/27
08:06:08| Processing: visible_hostname
shield.TodylInc.shield
2016/06/27
08:06:08| Processing: cache_log
/opt/var/log/squid/cache_log
2016/06/27
08:06:08| Processing: cache_access_log
/opt/var/log/squid/access_log
2016/06/27
08:06:08| Processing: cache_effective_user squid
2016/06/27
08:06:08| Processing: cache_effective_group squid
2016/06/27
08:06:08| Processing: acl todyl dstdomain todyl.com
2016/06/27
08:06:08| Processing: request_header_add
X-TODYL-GUID 1e46dccd2 todyl
2016/06/27
08:06:08| Processing: error_directory /opt/www/squid
2016/06/27
08:06:08| Processing: https_port 3129 intercept
ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
key=/opt/etc/pki/squid/ca-key.pem
cert=/opt/etc/pki/squid/ca.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
2016/06/27
08:06:08| Starting Authentication on port [::]:3129
2016/06/27
08:06:08| Disabling Authentication on port [::]:3129
(interception enabled)
2016/06/27
08:06:08| Processing: always_direct allow all
2016/06/27
08:06:08| Processing: ssl_bump server-first all
2016/06/27
08:06:08| Processing: sslcrtd_program
/opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB
2016/06/27
08:06:08| Processing: sslcrtd_children 32 startup=5
idle=1
2016/06/27
08:06:08| Processing: acl DiscoverSNIHost at_step
SslBump1
2016/06/27
08:06:08| Processing: acl NoSSLIntercept
ssl::server_name_regex -i
"/opt/etc/squid.doms.nobump"
2016/06/27
08:06:08| Processing: ssl_bump splice NoSSLIntercept
2016/06/27
08:06:08| Processing: ssl_bump peek DiscoverSNIHost
2016/06/27
08:06:08| Processing: ssl_bump bump all
2016/06/27
08:06:08| Processing: sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
2016/06/27
08:06:08| Processing: sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
2016/06/27
08:06:08| Processing: cache_dir aufs
/var/cache/squid 40000 16 256
2016/06/27
08:06:08| Processing: store_dir_select_algorithm
round-robin
2016/06/27
08:06:08| Processing: minimum_object_size 0 KB
2016/06/27
08:06:08| Processing: maximum_object_size 96 MB
2016/06/27
08:06:08| Processing: memory_pools off
2016/06/27
08:06:08| Processing: quick_abort_min 0 KB
2016/06/27
08:06:08| Processing: quick_abort_max 0 KB
2016/06/27
08:06:08| Processing: log_icp_queries off
2016/06/27
08:06:08| Processing: client_db off
2016/06/27
08:06:08| Processing: cache_mem 1500 MB
2016/06/27
08:06:08| Processing: buffered_logs on
2016/06/27
08:06:08| Processing: half_closed_clients off
2016/06/27
08:06:08| Processing: dns_nameservers 10.192.0.1
2016/06/27
08:06:08| Initializing https proxy context
2016/06/27
08:06:08| Initializing https_port [::]:3129 SSL
context
2016/06/27
08:06:08| Using certificate in
/opt/etc/pki/squid/ca.pem
—————————————————————————————————
here
is access.log
1467029265.989
50 10.192.0.12 TAG_NONE/200 0 CONNECT
52.84.29.139:443 - ORIGINAL_DST/52.84.29.139 -
1467029265.999
59 10.192.0.12 TAG_NONE/200 0 CONNECT
52.84.29.139:443 - ORIGINAL_DST/52.84.29.139 -
1467029266.222
53 10.192.0.12 TAG_NONE/200 0 CONNECT
172.217.5.14:443 - ORIGINAL_DST/172.217.5.14 -
1467029266.314
66 10.192.0.12 TAG_NONE/200 0 CONNECT
169.54.33.172:443 - ORIGINAL_DST/169.54.33.172 -
1467029266.469
42 10.192.0.12 TAG_NONE/200 0 CONNECT
199.27.76.249:443 - ORIGINAL_DST/199.27.76.249 -
1467029267.044
303 10.192.0.12 TAG_NONE/200 0 CONNECT
54.231.161.8:443 - ORIGINAL_DST/54.231.161.8 -
1467029267.482
145 10.192.0.12 TAG_NONE/200 0 CONNECT
54.172.232.15:443 - ORIGINAL_DST/54.172.232.15 -
1467029267.771
167 10.192.0.12 TAG_NONE/200 0 CONNECT
52.91.147.164:443 - ORIGINAL_DST/52.91.147.164 -
1467029268.106
153 10.192.0.12 TAG_NONE/200 0 CONNECT
52.23.253.30:443 - ORIGINAL_DST/52.23.253.30 -
1467029268.449
160 10.192.0.12 TAG_NONE/200 0 CONNECT
52.201.253.102:443 - ORIGINAL_DST/52.201.253.102 -
1467029268.764
149 10.192.0.12 TAG_NONE/200 0 CONNECT
52.91.121.224:443 - ORIGINAL_DST/52.91.121.224 -
1467029273.699
57 10.192.0.12 TCP_MISS/200 951 GET
http://lyncdiscover.todyl.com/?
- ORIGINAL_DST/131.253.163.205
application/vnd.microsoft.rtc.autodiscover+xml
1467029273.713
72 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.163.205:443 - ORIGINAL_DST/131.253.163.205 -
1467029273.797
73 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029273.952
74 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029274.077
76 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029274.430
152 10.192.0.12 TAG_NONE/200 0 CONNECT
23.96.208.238:443 - ORIGINAL_DST/23.96.208.238 -
1467029274.720
75 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029274.936
73 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029275.099
72 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.139:443 - ORIGINAL_DST/131.253.161.139 -
1467029275.216
70 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.147:443 - ORIGINAL_DST/131.253.161.147 -
1467029275.524
107 10.192.0.12 TAG_NONE/200 0 CONNECT
134.170.113.218:443 - ORIGINAL_DST/134.170.113.218 -
1467029279.731
24 10.192.0.12 TCP_MISS/200 951 GET
http://lyncdiscover.todyl.com/?
- ORIGINAL_DST/131.253.163.205
application/vnd.microsoft.rtc.autodiscover+xml
1467029279.778
71 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.163.205:443 - ORIGINAL_DST/131.253.163.205 -
1467029279.814
76 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029279.922
70 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029280.032
73 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.142:443 - ORIGINAL_DST/131.253.161.142 -
1467029280.180
73 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.139:443 - ORIGINAL_DST/131.253.161.139 -
1467029280.270
73 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.161.147:443 - ORIGINAL_DST/131.253.161.147 -
1467029280.396
107 10.192.0.12 TAG_NONE/200 0 CONNECT
134.170.113.218:443 - ORIGINAL_DST/134.170.113.218 -
1467029287.555
75 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.673
92 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.729
41 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.784
46 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.801
92 10.192.0.12 TAG_NONE/200 0 CONNECT
131.253.61.68:443 - ORIGINAL_DST/131.253.61.68 -
1467029287.859
61 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.926
52 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029287.998
56 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029288.051
40 10.192.0.12 TAG_NONE/200 0 CONNECT
157.55.133.204:443 - ORIGINAL_DST/157.55.133.204 -
1467029288.422
48 10.192.0.12 TAG_NONE/200 0 CONNECT
13.90.208.215:443 - ORIGINAL_DST/13.90.208.215 -
1467029288.882
311 10.192.0.12 TAG_NONE/200 0 CONNECT
104.41.32.78:443 - ORIGINAL_DST/104.41.32.78 -
Any Help
????