Search squid archive

Cache cellphone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm trying to setup squid for my wifi which mainly for cell phones and tv box with ssl-bump for the sake of bandwidth saving and my kids protection. Is it posible for squid to directly inject root CA as per request by applications? As i found hardly to setup my root ca to cellphone apps. I had tried install using user credentiall setup but its still failed and impossible for me to reflash the android os just to install the CA cert into the trusted credentialls table. I had try ssl_bump option combination with no luck, peek and bump produce alot of handshake errors. Here's my squid.conf, just guide me to the right way.

###################################################
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3127 intercept
https_port 10.0.1.2:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem

#############################################################
# tproxy setting
# ausearch -c 'squid' --raw | audit2allow -M my-squid
# semodule -i my-squid.pp
#http_port 10.0.1.2:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
http_port 10.0.1.2:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir aufs /var/spool/squid 5000 100 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
maximum_object_size 128000 KB
cache_swap_low 95
cache_swap_high 99
strip_query_terms off

# semanage fcontext -a -t FILE_TYPE 'index.txt'
# #where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec
# # Then execute:
#restorecon -vr 'index.txt'
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/myca.pem
#sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cafile /etc/squid/ssl_cert/myca.pem
sslproxy_cipher EECDH+ECDSA+AESGCM:E$

acl step1 at_step sslbump1
acl step2 at_step sslbump2
acl step3 at_step sslbump3

ssl_bump stare step1
ssl_bump peek step2
ssl_bump bump step3

# When a peek rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI
# (if any). When a peek rule matches during step 2, Squid proceeds to step3 where it parses the TLS Server Hello
# and extracts server certificate while preserving the possibility of splicing the client and server connections;
# peeking at the server certificate usually precludes future bumping (see Limitations).
#ssl_bump peek all

# When a stare rule matches during step1, Squid proceeds to step2 where it parses the TLS Client Hello and extracts SNI
# (if any). When a stare rule matches during step2, Squid proceeds to step3 where it parses the TLS Server Hello and extracts
# server certificate while preserving the possibility of bumping the client and server connections; staring at the server
# certificate usually precludes future splicing (see Limitations).
#ssl_bump stare all

# Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in
# between. Step 1, 2 and sometime 3
#ssl_bump splice all

# Establish a TLS connection with the server (using client SNI, if any) and establish a TLS connection with the client
# (using a mimicked server certificate). However, this is not what actually happens right now if a bump rule matches during
# step1.
#ssl_bump bump all

# Close client and server connections.
#ssl_bump terminate all

acl ARCHIEVES url_regex -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)*
acl PICS url_regex -i \.(gif|png|jp?g|ico|bmp|tiff?)*
acl MOVIES url_regex -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd|ism?)*
acl FILES url_regex -i \.(html|htm|css|js)*
acl IDXS url_regex -i \.index.(html|htm)*
acl GV url_regex -i \.googlevideo\.com*

#never_direct allow ARCHIEVES
#never_direct allow PICS
#never_direct allow MOVIES
#never_direct allow FILES
#never_direct allow IDXS

cache allow ARCHIEVES
cache allow PICS
cache allow MOVIES
cache allow FILES
cache allow IDXS
cache allow GV

#never_direct deny alldst
#always_direct allow alldst

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)*      0       20%     2880
refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)* 10080 95% 43200
refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)* 10080 90% 43200
refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)* 43200 95% 432000
refresh_pattern -i \.(html|htm|css|js)* 1440 75% 40320
refresh_pattern -i \.index.(html|htm)* 0 75% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i \.googlevideo\.com* 43200 95% 432000
refresh_pattern . 1440 90% 10080

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB

dns_nameservers 10.0.1.2 192.168.19.2
visible_hostname ws1.ebedsat.net
shutdown_lifetime 3 second
via off
forwarded_for off

logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log logaccess

#
# Add any of your own refresh_pattern entries above these.
#
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern . 0 20% 4320
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux