sorry guys,
i was too hurry.
it doesn't work.
i've just passed thru NAT, i forgot to enable proxy in browser.
so i will dig deeper
чт, 18 окт. 2018 г. в 18:03, Timur Lagutenko <timur.lagutenko@xxxxxxxxx>:
Dear friends,I have good news!i upgraded my openssl package from openssl-1.0.2 up to openssl111 (FreeBSD 11.2)this action has resolved the issues with youtube.com and some other sites.now everything works perfect.thank you very much for your attention!best regards!ср, 17 окт. 2018 г. в 10:37, Timur Lagutenko <timur.lagutenko@xxxxxxxxx>:I will try fresh installation of FreeBSD 11.2-RELEASEAnd see how it works.Maybe something was corrupted during upgrade.Just FYI please look on my pf.conf and squid.conf:# cat /etc/pf.confoutif=re0 #outer interfaceinif=re1 #iner interfaceoutip="(" $outif ")" #outer ipinip="(" $inif ")" #iner ipinnw=$inif:network #iner networkinbc=$inif:broadcast #iner broadcastbc="255.255.255.255" #anycastset skip on lo0set block-policy dropscrub in allnat on $outif from $innw to any -> $outiprdr on $inif proto {tcp,udp} from $innw to any port 123 -> $inip port 123block log allpass from $innw to $innw# this is my machine client ip# i have allowed full access form my PCpass from 192.168.0.104 to any# this 2 lines passes any traffic from gateway itselfpass from $outip to anypass from $inip to any# i don't know why but option "set skip on lo0" doesn't work# so i additionally pass the whole traffic thru loopback interfacepass on lo0 from any to any############################################################################ cat /usr/local/etc/squid/squid.confvisible_hostname "Squid on freebsd"acl localnet src 192.168.0.0/20 # RFC1918 possible internal networkshutdown_lifetime 5 secondsaccess_log daemon:/var/log/squid/access.log squidacl SSL_ports port 1-65535acl Safe_ports port 1-65535acl CONNECT method CONNECThttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localnet managerhttp_access deny managerhttp_access deny to_localhost## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#acl baddom dstdomain ardownload.adobe.com agsupdate.adobe.com \acl bdx dstdom_regex -n -i pornhttp_access deny bdxhttp_access deny baddomhttp_access allow localnethttp_access allow localhosthttp_access deny allhttp_port 192.168.0.254:3128# in future i have plans for 3129 port# for now it simple listening additional porthttp_port 192.168.0.254:3129cache_dir ufs /var/squid/cache 10240 8 16maximum_object_size 4096 MBcoredump_dir /var/squid/cachequick_abort_min -1 KBrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/) 0 0% 0refresh_pattern . 0 20% 4320ср, 17 окт. 2018 г. в 10:06, Amos Jeffries <squid3@xxxxxxxxxxxxx>:On 17/10/18 5:17 PM, Timur Lagutenko wrote:
> i'm sure that the issue is not related to firewall rules.
> because if I pass traffic from client IP (using NAT, browser is not
> configured to use proxy) it works.
Ah, you said earlier that you did not have SSL-Bump features enabled.
How are you intercepting the port 443 HTTPS traffic with NAT and
converting it to port 80 or 3128 syntax HTTP for Squid to handle?
Squid cannot MITM the "raw" port 443 TLS without SSL-Bump being configured.
Also since it is a Google service it may not be using TCP port 443 at
all. It may actually be performing their QUIC protocol instead of HTTPS.
That has to be blocked entirely to be sure the proxy is actually
receiving all the relevant traffic.
> I think it is related to some SSL/TLS lib in the system.
> Because today i've tried CLI browser - links.
> Launching it directly from gateway (which has direct access to web), i
> was able to browse any site in text mode.
> Except youtube.
> So i guess it is related to some missing ssl lib.
> Could you please suggest how can i find all required libs for my squid?
>
If Squid starts without crashing the libs it has been compiled to use
are present on your machine.
If you built it yourself on the same machine, it only uses library
features that machine had at time of the build - so maybe a rebuild is
needed to get access to newer library features.
When it comes to TLS though the library itself is doing the config parse
and setup for crypto things. So Squid does not particularly need to even
be configured to use features the library enables by default. Which
usually includes the current industry-standard ciphers etc.
If Squid accepts your config file and does not produce an ERROR or FATAL
message when you run "squid -k parse" all the libs required to run your
config have been compiled in and loaded.
> # squid -v
> Squid Cache: Version 3.5.28
> Service Name: squid
>
> This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
Your problem may be TLS/1.3 related. OpenSSL 1.0.* only supports a max
of TLS/1.2. Squid-3.5 also only supports OpenSSL 1.0.* library.
AFAIK, Google are one of the organizations heavily pushing TLS changes
and bias their services towards forcing the latest crypto whenever they
can. It is strange that others have not reported issues en-mass, so this
is somewhat unlikely.
Other admin mentioning similar behaviour with YouTube have turned out to
be TLS restrictions that pretty much prohibit the weaker crypto Google
services still allow and only let the very advanced ones (not supported
by their Squid) work.
But also those restrictions were done via SSL-Bump configs. Since you
don't use SSL-Bump it is unlikely to be the same - which leaves us only
with the network/firewall level issues as known things to look at.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
