If a server process requests https betwen client and server, that server is a "man in the meadle",that is problem of security for customers in your network.
_______________________________________________Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.Thank you, Louis!
Is there some workaround? May be I can to put that’s kind of sites without filtering?
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of L.P.H. van Belle
Sent: Thursday, August 23, 2018 4:38 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Transparent squid configuration problem.
i noticed the following : dig caa habr.com
;; ANSWER SECTION:
habr.com. 3600 IN CAA 0 iodef "mailto:iodef@xxxxxxxx"
habr.com. 3600 IN CAA 0 issue "comodoca.com"So you cant bump this site, its protecting its certificates with a CAA/DANE dns record.
Greetz,
Louis
Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens ??????? ????????? ?????????????
Verzonden: donderdag 23 augustus 2018 15:22
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Transparent squid configuration problem.Hi! I have some problems with configuration of squid.
What I need:
http/https transparent proxy server based on Debian Stretch with some blacklisted and whitelisted domains
I’ve used many tutorials and squid.wiki through installation process and it almost work! But I have the last problem.
When I tried to connect to some websites like a https://habr.com I have got HTTP ERROR 503. Ive tried to find solution at forums but no one helped me. I know the answer is simple and its here but cannt find it by myself.
Here is my squid.conf, cache.log, access.log and iptables script.
Please help! J
Squid.conf:
dns_v4_first on
acl network src 10.84.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl blacklist dstdomain "/etc/squid/acls/social_networks.txt" # list of blocked websites here
acl CONNECT method CONNECT
http_access deny blacklist
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/vproxy2.pem key=/etc/squid/ssl_cert/vproxy2.pem
#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
shutdown_lifetime 1 second
cache.log:
Maximum Resident Size: 123312 KB
Page faults with physical i/o: 7
2018/08/23 16:19:27 kid1| Logfile: closing log daemon:/var/log/squid/access.log
2018/08/23 16:19:27 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log
2018/08/23 16:19:27 kid1| Open FD UNSTARTED 6 DNS Socket IPv6
2018/08/23 16:19:27 kid1| Open FD READ/WRITE 7 DNS Socket IPv4
2018/08/23 16:19:27 kid1| Open FD UNSTARTED 10 IPC UNIX STREAM Parent
2018/08/23 16:19:27 kid1| Squid Cache (Version 3.5.23): Exiting normally.
2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid
2018/08/23 16:19:32 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu...
2018/08/23 16:19:32 kid1| Service Name: squid
2018/08/23 16:19:32 kid1| Process ID 1209
2018/08/23 16:19:32 kid1| Process Roles: worker
2018/08/23 16:19:32 kid1| With 65535 file descriptors available
2018/08/23 16:19:32 kid1| Initializing IP Cache...
2018/08/23 16:19:32 kid1| DNS Socket created at [::], FD 6
2018/08/23 16:19:32 kid1| DNS Socket created at 0.0.0.0, FD 7
2018/08/23 16:19:32 kid1| Adding domain generium.corp from /etc/resolv.conf
2018/08/23 16:19:32 kid1| Adding nameserver 10.84.10.110 from /etc/resolv.conf
2018/08/23 16:19:32 kid1| Adding nameserver 10.83.10.120 from /etc/resolv.conf
2018/08/23 16:19:32 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2018/08/23 16:19:32 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2018/08/23 16:19:32 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2018/08/23 16:19:32 kid1| Store logging disabled
2018/08/23 16:19:32 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2018/08/23 16:19:32 kid1| Target number of buckets: 1008
2018/08/23 16:19:32 kid1| Using 8192 Store buckets
2018/08/23 16:19:32 kid1| Max Mem size: 262144 KB
2018/08/23 16:19:32 kid1| Max Swap size: 0 KB
2018/08/23 16:19:32 kid1| Using Least Load store dir selection
2018/08/23 16:19:32 kid1| Set Current Directory to /var/spool/squid
2018/08/23 16:19:32 kid1| Finished loading MIME types and icons.
2018/08/23 16:19:32 kid1| HTCP Disabled.
2018/08/23 16:19:32 kid1| Pinger socket opened on FD 16
2018/08/23 16:19:32 kid1| Squid plugin modules loaded: 0
2018/08/23 16:19:32 kid1| Adaptation support is off.
2018/08/23 16:19:32 kid1| Accepting HTTP Socket connections at local=[::]:3130 remote=[::] FD 12 flags=9
2018/08/23 16:19:32 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=41
2018/08/23 16:19:32 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 14 flags=41
2018/08/23 16:19:32| pinger: Initialising ICMP pinger ...
2018/08/23 16:19:32| pinger: ICMP socket opened.
2018/08/23 16:19:32| pinger: ICMPv6 socket opened
2018/08/23 16:19:32| Pinger exiting.
2018/08/23 16:19:33 kid1| storeLateRelease: released 0 objects
Accesslog:
1535030545.214 0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html
1535030545.442 608 10.84.77.52 TAG_NONE/200 0 CONNECT 52.4.157.193:443 - ORIGINAL_DST/52.4.157.193 -
1535030545.442 617 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -
1535030545.717 422 10.84.77.52 TAG_NONE/200 0 CONNECT 52.204.140.44:443 - ORIGINAL_DST/52.204.140.44 -
1535030545.879 36 10.84.77.52 TCP_MISS/204 415 POST https://www.google.ru/gen_204? - ORIGINAL_DST/64.233.162.94 text/html
1535030546.522 77 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -
1535030546.623 95 10.84.77.52 TAG_NONE/200 0 CONNECT 178.248.237.68:443 - ORIGINAL_DST/178.248.237.68 -
1535030546.625 0 10.84.77.52 TAG_NONE/503 382 GET https://habr.com/ - ORIGINAL_DST/178.248.237.68 text/html
Уведомление о конфиденциальности: это электронное сообщение и любые документы, приложенные к нему, могут содержать конфиденциальную информацию. Настоящим уведомляем Вас о том, что если это сообщение не предназначено Вам, использование, копирование или распространение информации, содержащейся в настоящем сообщении, а также осуществление любых действий на основе этой информации строго запрещено. Если Вы получили это сообщение по ошибке, пожалуйста, сообщите об этом отправителю по электронной почте и удалите это сообщение. Confidentiality notice: This e-mail transmission and any attachments included may contain confidential information. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the content of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please notify sender by e-mail and then delete this message from your inbox.
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Rodrigo da Silva Cunha
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users