On 12/05/2017 08:50 AM, erdosain9 wrote: > i block some web (social networks). > In firefox, all work fine, when someone try to go to facebook for example, > they found with "access denied" (web from squid). > But, in Chrome.. they get this error "net::err_cert_common_name_invalid". Does that error match the generated certificate sent by Squid to a blocked Chrome user? In other words, does that certificate have an invalid common name (CN) field? > Why?? To answer that question, I suggest comparing the following two certificates: * the certificate sent by Squid to a blocked FireFox user * the certificate sent by Squid to a blocked Chrome user I also suggest comparing the following access.log entries: * the line(s) corresponding to the blocked FireFox user request * the line(s) corresponding to the blocked Chrome user request The differences (if any) may help you answer the question. HTH, Alex. > If all is working (they can use internet with https without problem, why > with the page from squid they have that error)??? > All the users use Chrome so, this is a problem for me. > Somebody can help me?? > > Thanks to all! > > This is my config file > > ####GRUPOS DE IP > acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst" > > > > ###Kerberos Auth with ActiveDirectory### > auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s > HTTP/[hidden email] > auth_param negotiate children 35 startup=0 idle=1 > auth_param basic credentialsttl 2 hours > auth_param negotiate keep_alive on > > external_acl_type i-restringidos %LOGIN > /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email] > external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl > -g [hidden email] > external_acl_type i-limitado %LOGIN > /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email] > > #GRUPOS > acl i-restringidos external i-restringidos > acl i-full external i-full > acl i-limitado external i-limitado > > ####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ ) > acl ads dstdom_regex "/etc/squid/listas/ad_block.lst" > http_access deny ads > #deny_info TCP_RESET ads > > ####Streaming > acl youtube url_regex -i \.flv$ > acl youtube url_regex -i \.mp4$ > acl youtube url_regex -i watch? > acl youtube url_regex -i youtube > acl facebook url_regex -i facebook > acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\? > acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? > acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\? > acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\? > > ##Dominios denegados > *acl restringidos dstdomain "/etc/squid/listas/restringidos.lst" (here is > .whatsapp.com) > *acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst" > > > #Puertos > acl SSL_ports port 443 > acl SSL_ports port 4443 > acl SSL_ports port 8443 > acl SSL_ports port 8080 > acl SSL_ports port 20000 > acl SSL_ports port 10000 > acl SSL_ports port 2083 > > acl Safe_ports port 631 # httpCUPS > acl Safe_ports port 85 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 4443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 8443 # httpsalt > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 8080 # edesur y otros > acl Safe_ports port 2199 # radio > acl CONNECT method CONNECT > > > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow sin_autenticacion > http_access deny i-restringidos !restringidos > http_access allow i-limitado !dominios_denegados > http_access allow i-full !dominios_denegados > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > http_port 127.0.0.1:3128 > http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem > key=/etc/squid/ssl_cert/myca.pem > > acl step1 at_step SslBump1 > > acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst" > > ssl_bump peek step1 > ssl_bump splice excludeSSL > ssl_bump bump all > > #tcp_outgoing_address > > # Uncomment and adjust the following to add a disk cache directory. > cache_dir diskd /var/spool/squid 15000 16 256 > cache_mem 500 MB > #maximum_object_size_in_memory 1 MB > > cache_swap_low 70 > cache_swap_high 85 > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > > #Your refresh_pattern > refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store > ignore-private > refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire > override-lastmod ignore-reload ignore-no-cache ignore-no-store > reload-into-ims ignore-must-revalidate > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > ###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST > via off > forwarded_for delete > > request_header_access From deny all > request_header_access Server deny all > request_header_access WWW-Authenticate deny all > request_header_access Link deny all > request_header_access Cache-Control deny all > request_header_access Proxy-Connection deny all > request_header_access X-Cache deny all > request_header_access X-Cache-Lookup deny all > request_header_access Via deny all > request_header_access X-Forwarded-For deny all > request_header_access Pragma deny all > request_header_access Keep-Alive deny all > > ### > > #Pools para ancho de banda > delay_pools 5 > > #Ancho de Youtube > delay_class 1 2 > delay_parameters 1 1000000/1000000 10000/100000 > delay_access 1 allow i-limitado youtube !facebook > delay_access 1 deny all > > #Ancho de Facebook > delay_class 2 2 > delay_parameters 2 1000000/1000000 50000/256000 > delay_access 2 allow i-limitado facebook !youtube > delay_access 2 deny all > > #Ancho de banda YOUTUBE FULL > delay_class 3 1 > delay_parameters 3 1000000/1000000 > delay_access 3 allow i-full youtube !facebook > delay_access 3 deny all > > #Ancho de banda LIMITADO > delay_class 4 2 > delay_parameters 4 4000000/4000000 100000/500000 > delay_access 4 allow i-limitado !youtube !facebook > delay_access 4 deny all > > #Ancho de banda FULL > delay_class 5 2 > delay_parameters 5 4000000/4000000 500000/1000000 > delay_access 5 allow i-full !youtube !facebook > delay_access 5 deny all > > dns_nameservers 192.168.1.10 192.168.1.22 > visible_hostname squid.domain.lan > > # try connecting to first 25 ips of a domain name > forward_max_tries 25 > > # fix some ipv6 errors (recommended to comment out) > dns_v4_first on > > > > -- > Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
