Hi
I installed Squid 3.5.25 at debian with
libecap3 too.
Now my old squid.conf file for v3.48 not work anymore for redirected https
websites.
I get SSL_ERROR_RX_RECORD_TOO_LONG in Firefox.
I redirected them before by Shorewall and it worked with v3.48
#SQUID-PORTS
REDIRECT loc 3140
tcp https -
!192.168.1.254
REDIRECT loc 3139
tcp www -
!192.168.1.254
If I change https_port to http_port and remove the intercept option for
ssl_bump it works with expicit configured clients for that port even for
gmail website too.
What I need to change to make squid 3.5 work transparently ?
squid -v
Squid Cache: Version 3.5.25
Service Name: squid
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.'
'--datadir=/share/squid' '--sysconfdir=/etc/squid' '--disable-ipv6'
'--with-default-user=proxy' '--with-logdir=/var/log/squid35'
'--with-pidfile=/var/run/squid35.pid' '--with-openssl' '--enable-ssl-crtd'
'--infodir=/share/info' '--includedir=/include' '--mandir=/usr/share/man'
'--enable-inline' '--disable-arch-native' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-filedescriptors=65536' '--with-large-files' '--enable-linux-netfilter' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'
cat /etc/squid/squid.conf:
debug_options ALL,6
#0 26,2 83,2 33,2 17,2 44,2
logformat datetime %tl %6tr CLIENT:%>a = = %Ss %<Hs %rm=%>ru
--%[un %Sh/%<a %mt
access_log /var/log/squid35/access.log datetime
forwarded_for on
error_directory /usr/share/squid/errors/de-de/
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port
80 # http
acl Safe_ports port
21 # ftp
acl Safe_ports port 443 #
https
acl Safe_ports port
70 # gopher
acl Safe_ports port 210 #
wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 #
http-mgmt
acl Safe_ports port 488 #
gss-http
acl Safe_ports port 591 #
filemaker
acl Safe_ports port 777 #
multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_reply_access allow all
http_access deny all
icp_access allow localnet
icp_access deny all
### NEW for v3.5x SSL-Bump ###
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice localhost
#acl exclude_sites ssl::server_name_regex -i
"/var/lib/squidguard/db/BL/whitelist-ssl/whitelist.destdomainlist"
ssl_bump peek step1 all
#ssl_bump splice exclude_sites
ssl_bump stare step2 all
ssl_bump bump all
#############################
http_port 0.0.0.0:3138
http_port 0.0.0.0:3139 intercept
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
https_port 0.0.0.0:3140 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/myca.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_capath /etc/ssl/certs
##sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 16MB
sslcrtd_children 10
cache_dir ufs /etc/squid/ssl_db 100 16 256
cache_mgr admin@mainrouter
visible_hostname xxx
httpd_suppress_version_string on
coredump_dir /var/spool/squid
refresh_pattern
^ftp:
1440 20% 10080
refresh_pattern ^gopher:
1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0
0% 0
refresh_pattern
0 20% 4320
cache_effective_user proxy
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0
icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
cache_effective_group proxy
dns_nameservers 8.8.8.8
########## END of squid.conf#######################
If I run "squid -NYCd1" with root I get :
root@Router:/# squid -NYCd1
2017/05/28 16:07:54| WARNING: BCP 177 violation. IPv6 transport forced OFF
by build parameters.
2017/05/28 16:07:54.922| Set Current Directory to /var/spool/squid
2017/05/28 16:07:54.922| Starting Squid Cache version 3.5.25 for
x86_64-pc-linux-gnu...
2017/05/28 16:07:54.922| Service Name: squid
2017/05/28 16:07:54.922| Process ID 25773
2017/05/28 16:07:54.922| Process Roles: master worker
2017/05/28 16:07:54.922| With 65536 file descriptors available
2017/05/28 16:07:54.922| Initializing IP Cache...
2017/05/28 16:07:54.924| DNS Socket created at 0.0.0.0, FD 9
2017/05/28 16:07:54.924| Adding nameserver 8.8.8.8 from squid.conf
2017/05/28 16:07:54.924| helperOpenServers: Starting 5/5 'ssl_crtd'
processes
2017/05/28 16:07:54.949| helperOpenServers: Starting 0/20 'squidGuard'
processes
2017/05/28 16:07:54.949| helperOpenServers: No 'squidGuard' processes
needed.
2017/05/28 16:07:55.007| Logfile: opening log
/var/log/squid35/access.log
2017/05/28 16:07:55.007| WARNING: log name now starts with a module name.
Use 'stdio:/var/log/squid35/access.log'
2017/05/28 16:07:55.270| Unlinkd pipe opened on FD 25
2017/05/28 16:07:55.274| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2017/05/28 16:07:55.275| Store logging disabled
2017/05/28 16:07:55.275| Swap maxSize 102400 + 262144 KB, estimated 28041
objects
2017/05/28 16:07:55.275| Target number of buckets: 1402
2017/05/28 16:07:55.275| Using 8192 Store buckets
2017/05/28 16:07:55.275| Max Mem size: 262144 KB
2017/05/28 16:07:55.275| Max Swap size: 102400 KB
2017/05/28 16:07:55.277| Rebuilding storage in /etc/squid/ssl_db (clean
log)
2017/05/28 16:07:55.277| Using Least Load store dir selection
2017/05/28 16:07:55.277| Set Current Directory to /var/spool/squid
2017/05/28 16:07:55.691| Finished loading MIME types and icons.
2017/05/28 16:07:55.693| HTCP Disabled.
2017/05/28 16:07:55.696| Pinger socket opened on FD 32
2017/05/28 16:07:55.698| Squid plugin modules loaded: 0
2017/05/28 16:07:55.698| Adaptation support is on
2017/05/28 16:07:55.701| Accepting HTTP Socket connections at
local=0.0.0.0:3138 remote=[::] FD 28 flags=9
2017/05/28 16:07:55.702| Accepting NAT intercepted HTTP Socket connections
at local=0.0.0.0:3139 remote=[::] FD 29 flags=41
2017/05/28 16:07:55.702| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=0.0.0.0:3140 remote=[::] FD 30 flags=41
2017/05/28 16:07:57.157| Store rebuilding is 84.50% complete
2017/05/28 16:07:57.432| Done reading /etc/squid/ssl_db swaplog (4733
entries)
2017/05/28 16:07:57.432| Finished rebuilding storage from disk.
2017/05/28 16:07:57.432| 4733 Entries
scanned
2017/05/28 16:07:57.432| 0
Invalid entries.
2017/05/28 16:07:57.432| 0
With invalid flags.
2017/05/28 16:07:57.432| 4733 Objects
loaded.
2017/05/28 16:07:57.432| 0
Objects expired.
2017/05/28 16:07:57.432| 0
Objects cancelled.
2017/05/28 16:07:57.432| 0
Duplicate URLs purged.
2017/05/28 16:07:57.432| 0
Swapfile clashes avoided.
2017/05/28 16:07:57.432| Took 2.16 seconds (2196.06
objects/sec).
2017/05/28 16:07:57.432| Beginning Validation Procedure
2017/05/28 16:07:57.801| Completed Validation Procedure
2017/05/28 16:07:57.801| Validated 4732 Entries
2017/05/28 16:07:57.801| store_swap_size = 92108.00 KB
2017/05/28 16:07:59.557| storeLateRelease: released 0 objects
2017/05/28 16:07:59.706| Starting new redirector helpers...
2017/05/28 16:07:59.706| helperOpenServers: Starting 1/20 'squidGuard'
processes
2017/05/28 16:07:59.739| Starting new redirector helpers...
2017/05/28 16:07:59.739| helperOpenServers: Starting 1/20 'squidGuard'
processes
2017/05/28 16:07:59.756| abandoning local=104.86.49.182:443
remote=192.168.1.8:41991 FD 19 flags=33
.....
2017/05/28 16:08:11.844| abandoning local=104.86.40.45:443
remote=192.168.1.8:42080 FD 80 flags=33
^C << stopped manually here
2017/05/28 16:08:14| Preparing for shutdown after 50 requests
2017/05/28 16:08:14| Waiting 0 seconds for active connections to finish
2017/05/28 16:08:14| Closing HTTP port 0.0.0.0:3138
2017/05/28 16:08:14.101| Closing HTTP port 0.0.0.0:3139
2017/05/28 16:08:14.101| Closing HTTPS port 0.0.0.0:3140
2017/05/28 16:08:14.101| Closing Pinger socket on FD 32
2017/05/28 16:08:15.114| Shutdown: NTLM authentication.
2017/05/28 16:08:15.114| Shutdown: Negotiate authentication.
2017/05/28 16:08:15.114| Shutdown: Digest authentication.
2017/05/28 16:08:15.114| Shutdown: Basic authentication.
2017/05/28 16:08:15.115| Shutting down...
2017/05/28 16:08:15.597| Closing unlinkd pipe on FD 25
2017/05/28 16:08:15.597| storeDirWriteCleanLogs: Starting...
2017/05/28 16:08:15.600| Finished. Wrote 4733
entries.
2017/05/28 16:08:15.600| Took 0.00 seconds (1619226.82
entries/sec).
2017/05/28 16:08:15.600| Logfile: closing log
stdio:/var/log/squid35/access.log
2017/05/28 16:08:15.600| Open FD UNSTARTED 0
stdin
2017/05/28 16:08:15.600| Open FD UNSTARTED 1
stdout
2017/05/28 16:08:15.600| Open FD UNSTARTED 2
stderr
2017/05/28 16:08:15.600| Open FD READ/WRITE 9 DNS Socket
IPv4
2017/05/28 16:08:15.600| Open FD UNSTARTED 10 ssl_crtd
#1
2017/05/28 16:08:15.600| Open FD UNSTARTED 12 ssl_crtd
#2
2017/05/28 16:08:15.600| Open FD UNSTARTED 14 ssl_crtd
#3
2017/05/28 16:08:15.600| Open FD READ/WRITE 15 127.0.0.1
2017/05/28 16:08:15.600| Open FD UNSTARTED 16 ssl_crtd
#4
2017/05/28 16:08:15.600| Open FD UNSTARTED 18 ssl_crtd
#5
2017/05/28 16:08:15.600| Open FD READ/WRITE 24 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE 26 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE 27 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE 31 squidGuard
#1
2017/05/28 16:08:15.600| Open FD READ/WRITE 33 squidGuard
#1
2017/05/28 16:08:15.600| Open FD READ/WRITE 53 127.0.0.1
2017/05/28 16:08:15.608| Squid Cache (Version 3.5.25): Exiting
normally.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users