|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jok, it can be DNS leak. Does you tested it? 8.8.8.8 can be poisoned (probably) or intercepted by ISP. 27.10.2016 0:01, Jok Thuau пишет: > After being side-tracked with a few different project, I ended up with the config below. It appears to do the right things, though the ACL organization could use some cleanup... > (Browsing to authorized sites works, browsing to something else, i get a denied page from squid) > > However, even though msdn.microsoft.com <http://msdn.microsoft.com> is on my whitelist, it appears to "timeout". Looking at the logs, I see entries like this: > > 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: Host header forgery detected on local=65.54.226.150:443 <http://65.54.226.150:443> remote=10.11.12.13:51984 <http://10.0.32.177:51984> FD 18 flags=33 (local IP does not match any domain IP) > 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: By user agent: > 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: on URL: msdn.microsoft.com:443 <http://msdn.microsoft.com:443> > 2016/09/20 15:10:19.640 kid1| 4,2| errorpage.cc(1262) BuildContent: No existing error page language negotiated for ERR_CONFLICT_HOST. Using default error file. > 2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable > 2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable: StoreEntry::checkCachable: NO: not cachable > 2016/09/20 15:10:19.641 kid1| 88,2| client_side_reply.cc(2001) processReplyAccessResult: The reply for CONNECT msdn.microsoft.com:443 <http://msdn.microsoft.com:443> is ALLOWED, because it matched SniBypass > 2016/09/20 15:10:19.641 kid1| 33,2| client_side.cc(925) deferRecipientForLater: clientSocketRecipient: Deferring request msdn.microsoft.com:443 <http://msdn.microsoft.com:443> > > What is interesting is that we changed from using 8.8.8.8 as our DNS server to a locally installed bind instance, and we no longer see any issues. > that is NOT what I expected... I can't explain why the client browser was hanging. Any suggestions? > > It's all happy now, with the following config, with a firewall doing policy based routing, a local iptables rule to redirect from port 443 to 8443, and from 80 to 3129, as well as the certificate deployed as trusted on each endpoint: > > squid.conf: > # setup standard ports > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > # for security > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > # not actually used and blocked by local firewall on host, but squid complains if it's not there... > http_port 3128 > > # http intercept, and ACL that matches that inbound port > http_port 3129 intercept > acl http_proxy myportname 3129 > > # same for https > https_port 8443 intercept ssl-bump \ > generate-host-certificates=on \ > dynamic_cert_mem_cache_size=64MB \ > cert=/etc/squid/ssl/proxy.pem \ > key=/etc/squid/ssl/proxy.key \ > cafile=/etc/squid/ssl/proxy.pe <http://proxy.pe>m > acl https_proxy myportname 8443 > > always_direct allow all > > # define the steps needed for bumping... > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > # and the list of domains that are allowed > acl SniBypass ssl::server_name_regex -i "/etc/squid/snibypass.acl" > acl http_bypass dstdom_regex -n -i "/etc/squid/snibypass.acl" > > # ensure we have target SSL port when checking data > acl https_ok all-of SniBypass SSL_ports > # and the destination domain when not SSL... > acl http_ok all-of http_bypass Safe_ports > > # splice when we know the target matches > ssl_bump splice SniBypass > # peek and bump otherwise > ssl_bump peek step1 > ssl_bump stare step2 > ssl_bump bump all > > # some options for the certificate generation.. > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE > sslproxy_cert_sign_hash sha256 > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 64MB > sslcrtd_children 8 startup=1 idle=1 > > # for http, let's block if we're not on the whitelist > http_access deny !http_ok http_proxy > # for https, let's wait until step3 of the bumping, so we can replace the SSL content post-bumping) > http_access deny !https_ok step3 https_proxy > > # never cache anything > cache deny all > > #for windows updates > quick_abort_min -1 > range_offset_limit 0 all > > shutdown_lifetime 2 seconds > connect_timeout 20 seconds > #debug_options ALL,2 > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users - -- Cats - delicious. You just do not know how to cook them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYEPm+AAoJENNXIZxhPexGnewH/0e2rK5ZU87NSgskaJsZ5orA 3E7kwxXa9pt8M1LJLlcSD73HM3ASfO3xKqY+ajhKp0hvcApH+SwJFUVyuQktAoVS P96WCIwobasSH7rGuBvvsuny0pwDrJfjvdkJjD7e2l/qFkHE9Fv1HBwMD1Kidp51 mJ8hqhh/xghUDOQgcGN1+Ae519+jOBwE/R8/fgtQ/i5TJeljEVgEaLFcw7eZ2/E1 qk/H1kV3YCrVeslUWIxqxAPPhcS6WQLSaqKxlxYgVk1n0Ya2SC7u75MtK2n/68z2 ejQwEguAn+uMx/IuX1nxVx47jK7DGsAyMeASLqIjofMst1ct0WuhQxyeAh7O4MA= =H5/c -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
