On 19/05/19 3:47 pm, Ebed wrote: > I'm trying to setup squid for my wifi which mainly for cell phones and > tv box with ssl-bump for the sake of bandwidth saving and my kids > protection. Is it posible for squid to directly inject root CA as per > request by applications? No. If the clients do not trust your root CA there is nothing Squid can do to make them. TLS is designed to prevent that type of trivial attack. Your ssl_bump config looks a bit suspicious though. Doing peek at step2 should prevent bump from being possible at step3. You might have better behaviour by swapping the peek and stare order. To be "peek step1" then "stare step2". > As i found hardly to setup my root ca to > cellphone apps. I had tried install using user credentiall setup but its > still failed and impossible for me to reflash the android os just to > install the CA cert into the trusted credentialls table. I had try > ssl_bump option combination with no luck, peek and bump produce alot of > handshake errors. Here's my squid.conf, just guide me to the right way. > Look at what those errors are saying. That should lead you towards fixing them. Also, what version of Squid are you using? there seem to be a jumbled mix of old and new settings in this config file. ... > https_port 10.0.1.2:3127 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem > > ############################################################# > # tproxy setting > # ausearch -c 'squid' --raw | audit2allow -M my-squid > # semodule -i my-squid.pp ... > http_port 10.0.1.2:3128 ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid/ssl_cert/myca.pem dhparams=/etc/squid/ssl_cert/dhparam.pem > ... > cache_dir aufs /var/spool/squid 5000 100 256 > ... > cache_mem 8 MB > maximum_object_size_in_memory 32 KB > memory_replacement_policy heap GDSF > cache_replacement_policy heap LFUDA > maximum_object_size 128000 KB > cache_swap_low 95 > cache_swap_high 99 > strip_query_terms off > ... > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > > sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/myca.pem ... > sslproxy_cafile /etc/squid/ssl_cert/myca.pem > sslproxy_cipher EECDH+ECDSA+AESGCM:E$ > NP: the missing part of the above cipher setting may give clues to some of those handshake errors. Squid will have problems connecting to any server which requires a cipher not in that list. ... > > ssl_bump stare step1 > ssl_bump peek step2 > ssl_bump bump step3 > ... > > acl ARCHIEVES url_regex -i > \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)* This regex pattern matches every URL that contains a "." _anywhere_ in the URL. For example any URL which has a domain name. The 3-letter part is optional (due to "*" suffix). ... > > cache allow ARCHIEVES ARCHIEVES will always match. So the following "cache" rules are pointless. ... > > request_header_access From deny all > request_header_access Server deny all Server is a reply header. This line does nothing. > request_header_access WWW-Authenticate deny all > request_header_access Link deny all > request_header_access Cache-Control deny all > request_header_access Proxy-Connection deny all > request_header_access X-Cache deny all > request_header_access X-Cache-Lookup deny all > request_header_access Via deny all You are using "via off" setting. Which makes the above rule pointless. > request_header_access X-Forwarded-For deny all Use "forwarded_for delete" instead of the above line and "forwarded_for off" you have later. > request_header_access Pragma deny all > request_header_access Keep-Alive deny all > NP: Pragma, WWW_Authenticate, Cache-Control and Link will do nothing useful and actively break HTTP going through this proxy. You had best remove those lines. The Proxy-Connection and Keep-Alive headers are hop-by-hop and deprecated in HTTP/1.1. Which means any current Squid *always* removes them. You do not need rules to make that happen. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern (Release|Packages(.gz)*)* 0 20% 2880 The above is equivalent to: refresh_pattern . 0 20% 2880 Which means the following regex rules are pointless. ... > via off > forwarded_for off > > logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm %ru > %un %Sh/%<A %mt > access_log daemon:/var/log/squid/access.log logaccess > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users