After being side-tracked with a few different project, I ended up with the config below. It appears to do the right things, though the ACL organization could use some cleanup...
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: Host header forgery detected on local=65.54.226.150:443 remote=10.11.12.13:51984 FD 18 flags=33 (local IP does not match any domain IP)
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: By user agent:
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: on URL: msdn.microsoft.com:443
2016/09/20 15:10:19.640 kid1| 4,2| errorpage.cc(1262) BuildContent: No existing error page language negotiated for ERR_CONFLICT_HOST. Using default error file.
2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/09/20 15:10:19.641 kid1| 88,2| client_side_reply.cc(2001) processReplyAccessResult: The reply for CONNECT msdn.microsoft.com:443 is ALLOWED, because it matched SniBypass
2016/09/20 15:10:19.641 kid1| 33,2| client_side.cc(925) deferRecipientForLater: clientSocketRecipient: Deferring request msdn.microsoft.com:443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
(Browsing to authorized sites works, browsing to something else, i get a denied page from squid)
However, even though msdn.microsoft.com is on my whitelist, it appears to "timeout". Looking at the logs, I see entries like this:
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: Host header forgery detected on local=65.54.226.150:443 remote=10.11.12.13:51984 FD 18 flags=33 (local IP does not match any domain IP)
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: By user agent:
2016/09/20 15:10:19.640 kid1| SECURITY ALERT: on URL: msdn.microsoft.com:443
2016/09/20 15:10:19.640 kid1| 4,2| errorpage.cc(1262) BuildContent: No existing error page language negotiated for ERR_CONFLICT_HOST. Using default error file.
2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable
2016/09/20 15:10:19.641 kid1| 88,2| client_side_reply.cc(2001) processReplyAccessResult: The reply for CONNECT msdn.microsoft.com:443 is ALLOWED, because it matched SniBypass
2016/09/20 15:10:19.641 kid1| 33,2| client_side.cc(925) deferRecipientForLater: clientSocketRecipient: Deferring request msdn.microsoft.com:443
What is interesting is that we changed from using 8.8.8.8 as our DNS server to a locally installed bind instance, and we no longer see any issues.
that is NOT what I expected... I can't explain why the client browser was hanging. Any suggestions?
It's all happy now, with the following config, with a firewall doing policy based routing, a local iptables rule to redirect from port 443 to 8443, and from 80 to 3129, as well as the certificate deployed as trusted on each endpoint:
squid.conf:
# setup standard ports
acl SSL_ports port 443acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
# for security
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# not actually used and blocked by local firewall on host, but squid complains if it's not there...
http_port 3128
http_port 3128
# http intercept, and ACL that matches that inbound port
http_port 3129 intercept
acl http_proxy myportname 3129
http_port 3129 intercept
acl http_proxy myportname 3129
# same for https
https_port 8443 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
acl https_proxy myportname 8443
https_port 8443 intercept ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=64
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pe
acl https_proxy myportname 8443
always_direct allow all
# define the steps needed for bumping...
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# and the list of domains that are allowed
acl SniBypass ssl::server_name_regex -i "/etc/squid/snibypass.acl"
acl http_bypass dstdom_regex -n -i "/etc/squid/snibypass.acl"
acl http_bypass dstdom_regex -n -i "/etc/squid/snibypass.acl"
# ensure we have target SSL port when checking data
acl https_ok all-of SniBypass SSL_ports
acl https_ok all-of SniBypass SSL_ports
# and the destination domain when not SSL...
acl http_ok all-of http_bypass Safe_ports
acl http_ok all-of http_bypass Safe_ports
# splice when we know the target matches
ssl_bump splice SniBypass
# peek and bump otherwise
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
# some options for the certificate generation..
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cert_sign_hash sha256
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 64MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_
sslproxy_cert_sign_hash sha256
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 64MB
sslcrtd_children 8 startup=1 idle=1
# for http, let's block if we're not on the whitelist
http_access deny !http_ok http_proxy
# for https, let's wait until step3 of the bumping, so we can replace the SSL content post-bumping)
http_access deny !https_ok step3 https_proxy
http_access deny !https_ok step3 https_proxy
# never cache anything
cache deny all
cache deny all
#for windows updates
quick_abort_min -1
range_offset_limit 0 all
quick_abort_min -1
range_offset_limit 0 all
shutdown_lifetime 2 seconds
connect_timeout 20 seconds
#debug_options ALL,2
connect_timeout 20 seconds
#debug_options ALL,2
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
