________________________________ > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> >> My goal is to set up Squid so it can act as a transparent proxy for >> local clients browsing the web. It should "deny all" except traffic >> to the destination domains included in an ACL file. >> >> http_access deny intercepted !localnet >> http_access deny interceptedssl !localnet >> http_access deny !allowed_domains >> http_access allow localnet > ... >> ssl_bump stare all >> ssl_bump bump all > > You are denying fake CONNECT requests during SslBump step1. During that > step, intercepted SSL connections are represented by fake CONNECT> requests with IP addresses (not domain names). Such requests will often > match your "http_access deny !allowed_domains" rule. See "Step 1"> description at http://wiki.squid-cache.org/Features/SslPeekAndSplice > > What you probably want is to allow all reasonable fake CONNECT requests > during that step. There are several ways to do that Hi, Thanks for the explanation. I'm posting the whole squid.conf below as I wrongly left out some information in my first post. Sorry. I didn't think I would have issues with CONNECT to 443 ports because I already had the default "http_access deny CONNECT !SSL_ports". However, the ACL parsing doesn't stop there and goes on until it reaches "http_access deny !allowed_domains". So I added the following explicit "allow" right before "deny": http_access allow CONNECT SSL_ports http_access deny !allowed_domains So here's the full config: # grep -v "^#" squid.conf | grep -v "^$" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/squid.custom.rules http_access allow localhost http_access deny all coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # grep -v "^#" squid.custom.rules | grep -v "^$" http_port 3128 http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.mydomain.org@xxxxxxxxxxxx auth_param negotiate children 60 auth_param negotiate keep_alive on auth_param basic realm ORG proxy acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl ORG_all proxy_auth REQUIRED acl explicit myportname 3128 acl intercepted myportname 3129 acl interceptedssl myportname 3130 acl interceptednormal myportname 3131 acl interceptedsslnormal myportname 3132 acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips" acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups" acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains" acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains" acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads" acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes" acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips" acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups" acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains" http_access deny restricted_ips !restricted_domains http_access deny restricted_groups !restricted_domains http_access deny denied_domains !allowed_groups !allowed_ips http_access deny CONNECT denied_domains !allowed_groups !allowed_ips http_access deny denied_ads !allowed_groups !allowed_ips http_access deny denied_filetypes !allowed_groups !allowed_ips http_access deny explicit !ORG_all http_access deny intercepted !localnet http_access deny interceptedssl !localnet http_access deny interceptedsslnormal !localnet http_access deny interceptednormal !localnet http_access allow CONNECT SSL_ports http_access deny !allowed_domains cache_mgr it@xxxxxxxxxxxx email_err_data on error_directory /usr/share/squid/errors/ORG append_domain .mydomain.org http_access allow localnet sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB sslcrtd_children 10 ssl_bump stare all ssl_bump bump all sslproxy_cert_error allow all always_direct allow all icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav adaptation_access squidclamav allow all include /etc/squid/squid.custom.common include /etc/squid/squid.custom.hide cache_dir diskd /var/cache/squid 100 16 256 # grep -v "^#" squid.custom.hide | grep -v "^$" httpd_suppress_version_string on dns_v4_first on via off forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all So this setup is a mixed explicit/transparent proxy. Right now, I'm just trying to focus on the transparent part only. The goal is to allow http/https traffic to allowed_domains only and to force content analysis via ICAP (clamav) of both http and https content. The above config now seems to work and I can access sites listed in allowed_domains only. I just hope I got it all cleared out. BTW I've seen the example at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit where it suggests to use: acl step1 at_step SslBump1 ssl_bump peek step1 Should I be using that instead of "ssl_bump stare all"? Which "other configuration aspects are wrong", as you say? Are you referring to "sslproxy_cert_error allow all" or are there more? # squid -version Squid Cache: Version 3.5.14 Service Name: squid configure options: '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=smb_lm' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--enable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig' Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
