On 17/08/17 20:18, hoje wrote:
Hi,
I have setup a squid server (squid-3.5.26-20170702-r14182) to filter
http/https. It was working fine with up to 90 users except one thing. Few
PCs would not be able connect to https sites (e.g google,yahoo,facebook)
intermittently. By clearing SSL State in user PCs (Windows->Control
Panel->Internet Properties) , it helps sometime (sometime not). Please
advice. Thank you.
This is <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>.
Google domains have issues due to their large numbers of DNS entries and
rotating in and out of view. The workarounds listed at the bottom of
that page may be of some use to reduce the problem, but unfortunately it
is not yet completely resolvable.
There are also some improvements you can make to the config below.
my squid setup
----------------
(WAN)---(router)---(linux+bridge+squid)---(user)
e.g access.log
---------------
1502955689.139 0 10.40.21.24 TAG_NONE/409 4088 CONNECT
www.google.com:443 - HIER_NONE/- text/html
my squid.conf
---------------
max_filedesc 65535
dns_v4_first on
request_timeout 5 minutes
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:3128 intercept
http_port 0.0.0.0:3130
https_port 0.0.0.0:3129 intercept ssl-bump connection-auth=off
cert=/etc/squid/squidCA.pem
Add the option sslflags=NO_DEFAULT_CA
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
Remove these 3 lines. They are either old hacks no longer necessary, or
outright wrong for use.
You may see some TLS/SSL errors occuring after removing. Look into those
issues carefully and use an appropriate fix for the problems you see.
The above is not a fix.
acl test ssl::server_name "/etc/squid/test.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate test
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
cache_dir ufs /var/spool/squid 15360 16 256
cache_swap_low 87
cache_swap_high 90
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
url_rewrite_program /usr/bin/squidGuard
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Replace both the above lines with this line (mind the wrap):
url_rewrite_program /usr/bin/squidGuard -c
/etc/squidguard/squidGuard.conf
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
