Search squid archive

Re: How to intercept ssl_bump transparent NAT https websites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Squid 3.5.25 + Squidclamav(c-icap) + SquidGuard
Here are the logs with SSL_ERROR_RX_RECORD_TOO_LONG in Firefox by debug_options ALL,1 11,2 and 61,5
https://mega.nz/#!dIdAkYra!aVEg07Sc9OxRwYiRAPk49dwegr2r-sdX2u73btEdDVk

Here the squid.conf & squidguard.conf
https://pastebin.com/v2LA8CcR


05/31/17 09:10:39, Andi <andreas.lauterbach76@xxxxxx>:
Thank you again,

It was all working together with "ssl_bump server-first all" optin for squidclamav(c-icap) and squidGuard 1.5 for Squid v 3.48 packages at debian jessie
Now after installing new Squid 3.5.25 with splice/peek support, its all working except of ssl websites.
I 'll reproduce the SSL_ERROR_RX_RECORD_TOO_LONG in Firefox by debug_options ALL,1 11,2 and 61,5 enabled and post here full access and cache logs.


05/31/17 02:31:42, Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 30/05/17 21:55, Andi wrote:
> Thank you for all your suggestions Mister.
>
> I improved my conf by them and disabled squidguard for testing and its
> working now fine without squidguard.
> So I need to investigate why squidguard won't run with https sites on
> v 3.5.25
>
> squidGuard -v
> SquidGuard: 1.5 Berkeley DB 5.3.28: (September 9, 2013)
>
> How can I find out what happens between Squid, SquidGuard at debian
> and Firefox at client side ?

The Squid<->Firefox is all HTTP so for that debug_options 11,2.
That will also show you any of the HTTP to servers if it is involved.

For the redirector debug_options 61,5



>
> I tried echo tests locally with squidguard but it only shows ERR
> results with https sites.
> Http sites are working well as expected with squidguard

I'm not entirely surprised by that. SG has not been maintained since
before Squid was handling https:// on a regular basis. So it may simply
be not able to process that type of URL.


Squid can now do a lot of what SG was useful for. But if you really
still need SG for something perhapse you should try using the ufdbguard
helper instead. It is essentially a drop-in replacement but has extra
features for a lot more modern traffic handling and has active support.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux