On 8/03/19 1:35 am, dkanejs wrote: > Thanks for the reply and apologies my post didn't include the HTML fragments: > > Configuration: > > ./configure \ > --enable-ssl \ > --enable-ssl-crtd \ > --with-openssl \ > --disable-arch-native \ > --prefix=/usr \ > --localstatedir=/var \ > --sysconfdir=/etc/squid \ > --libexecdir=/usr/lib/squid \ > --datadir=/usr/share/squid \ > --with-default-user=proxy \ > --with-logdir=/var/log/squid \ > --with-pidfile=/var/run/squid.pid > > Squid configuration: > > visible_hostname squid > http_port 3128 > acl whitelist dstdomain .example.com > http_access allow whitelist You are missing the default security protections against DoS and some other attack types. Please leave those Safe_ports and SSL_ports access lines and place your custom rules after them. > https_port 3129 cert=/etc/squid/squid.pem > options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET > cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > ssl-bump intercept The NAT 'intercept' mode flag needs to be second, right after the port number. The 'ssl-bump' flag should go before the cert= option so the right types of cert are loaded. Without this ordering Squid-4 cannot warn you about cert type errors (if any). The "NO_SSLv2" is invalid. As of Squid-4 all options relating to SSLv2 are no longer supported in any way. > acl SSL_port port 443 > http_access allow SSL_port > acl CONNECT method CONNECT "CONNECT" ACL is now a built-in. You do not have to define it. > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > ssl_bump peek step1 all > ssl_bump peek step2 whitelist > ssl_bump splice step3 whitelist > ssl_bump terminate step2 all The use of "all" ACL in the above lines does nothing but confuse people. Please also be aware the 'whitelist' ACL will not match reliably in TLS handshake because TLS does not have HTTP message URLs - thus no URL domain name. That means you should expect to see only terminated TLS handshakes with this config. Anything actually being accepted and responded to would be the anomaly. I think what you are needing is probably this: ssl_bump peek all acl tls_whitelist ssl::server_name .example.com ssl_bump splice step3 tls_whitelist ssl_bump terminate all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
