On 8/04/19 9:34 pm, Antony Stone wrote: > Hi. > > I'm replying in the original thread, to keep this conversation together in the > archives etc. > > On Monday 08 April 2019 at 11:15:00, Wegner Michaël wrote: > >> Hi Antony, >> >> The video is Ok, if i not used squid v3.5. > > So, it's not Youtube blocking that particualr video in your country etc. > >> If on the squid.conf file I disabled rediretion on squidgaurd the problem >> is the same. > > Okay, we can disregard SquidGuard as being the problem, then. > >> If squid is actived, somme videos are blocked, (the videos in >> restricted mode) > > That tells us it's your Squid configuration which is causing the problem. > >> With a old version of squid (2.6) there are no problems > > There are a *lot* of differences between Squid 2.6 and 3.5, especially for > HTTPS. You *have* made suitable adjustments to the configuration file, I hope? > > > Antony. > > -----Message d'origine----- > De : Wegner Michaël > Envoyé : lundi 8 avril 2019 11:15 > > Hi Antony, > > The video is Ok, if i not used squid v3.5. > If on the squid.conf file I disabled rediretion on squidgaurd the problem is the same. > If squid is actived, somme videos are blocked, (the videos in restricted mode) With a old version of squid (2.6) there are no problems > > Regards, > > Hi, > > I install a new serveur squid version 4.6 without squiguard and access allow all. > I set the ssl and i import certificate on the client but without success. > > My squid.conf is : > ... > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > include /etc/squid/conf.d/* Do you have any config files in that directory? if so please post their content too. > > #http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > #http_access deny all > http_access allow all > Allowing anyone to send traffic through your proxy without limitation is *not* a good idea. Now that you confirmed it makes no difference, please remove again to avoid it adding complications. If an error was showing up before to make you think this was a possibility, we will need to see that message please. > > http_port 3128 ssl-bump cert=/opt/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/lib/squid/security_file_certgen -s /opt/squid/log/squid/ssl_db -M 4MB > coredump_dir /opt/squid/var/cache/squid > cache_dir ufs /opt/squid/var/cache/squid 1000 16 256 # 1GB as Cache > So you have "ssl-bump" and related settings on the port. This means that Squid will attempt to decrypt the TLS/SSL traffic arriving in that ports CONNECT requests. However, there is no sign of any ssl_bump access controls. Which means your Squid will *not* do the decryption. This config should act exactly as if you had not specified ssl-bump at all. The TLS/SSL inside a CONNECT tunnel is between the client and origin server directly - exactly as if the proxy was not there. PS. One thing to be aware of though is that YouTube being a Google property is pushing use of newer protocols like HTTP/2, HTTP/3 and QUIC. You may find that the traffic is not going over TCP at all or being detected as an unsupported protocol. That latter would produce error responses - Squid-4 has <http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to work around that. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
