I had a FreeBSD 9.1 bridge (em0, em1) environment,
Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1:
3129)
Squid *3.3.11* ssl bump is OK.
The following is the setting of squid 3.3.11
Squid Cache: Version 3.3.11-20140220-r12672
Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc
/ squid' '--localstatedir = / var / squid' '--datadir = / usr / share /
squid' Enable-icap-client '' --enable-ssl '' --with-pthreads ''
--enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap ''
PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience
Recently in order to allow squid can signing generated sha256 certificates
,
upgrade squid to 3.5.24 version.
But ssl bump * is not OK *
Access.log always appears the following message:
1495699856.074 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495699857.720 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.054 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.717 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.060 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.354 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
*Need to adjust which part of the settings?*
The following is my settings:
Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options: '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/squid' '--datadir=/usr/share/squid'
'--enable-icap-client' '--enable-ssl' '--with-pthreads'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap'
'--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
--enable-ltdl-convenience
------------
squid.conf
------------
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all
# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
10MB
sslcrtd_children 5
# sslproxy setting
sslproxy_capath /var/squid/ssl_db/certs
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
#sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cert_error allow all
sslproxy_cert_adapt setValidAfter all
sslproxy_flags DONT_VERIFY_PEER
----------------------------------------
pf.conf
---------------------------------------
#internal interface
int_if = '{em1}'
# Normalization: reassemble fragments resolve or reduce traffic ambiguities.
scrub in all
set skip on lo0
#sslTP rdr setting
rdr_from = 'any'
rdr_to = 'any;
rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 ->
127.0.0.1 port 3129
pass in all no state
pass out all no state
pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any
keep state
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
