Hi Squid-Users I need your help! So i have had been using Squid 3.5.20 (installed on Amazon Linux 2) and its acting as a transparent ssl proxy with whitelist of allowed addresses. I want to avoid running a mitm proxy and having to add CA certs to all services/containers etc. Traffic is routed to the squid instance via a route-table to Interface. " Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) " - So my working config below does not work with 4.x but it kind of does for 3.5.x and its appears that i require the squid-helper package which doesn't exist for Amazon linux. - When starting squid it tries to create an ssl database via security_file_certgen, but this shouldnt be needed as i'm providing a self-signed certs that doesnt get used in transparent mode but is a hard dependency in 3.5. " Errors produced: " (security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured. 2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured. 2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting... : Uninitialized SSL certificate database directory: /var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c -s /var/spool/squid/ssl_db". 2019/06/25 00:37:57 kid1| Finished. Wrote 0 entries. 2019/06/25 00:37:57 kid1| Took 0.00 seconds ( 0.00 entries/sec). 2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png 2019/06/25 00:37:57 kid1| Squid Cache (Version 4.4): Terminated abnormally. " Squid config file contains: " ======================= acl localnet src 10.0.0.0/8 # Kubernetes VPC CIDR range acl SSL_ports port 443 # HTTPS acl Safe_ports port 80 # HTTP acl Safe_ports port 443 # HTTPS acl CONNECT method CONNECT # Traffic restriction acl step1 at_step SslBump1 # Needed by ssl-bump # ------------------------------- # Whitelist the following Domains # ------------------------------- # Shorten whitelist - just for this email / Edited config here acl domainIsWhitelisted ssl::server_name googleapis.l.google.com acl domainIsWhitelisted ssl::server_name logging.googleapis.com acl domainIsWhitelisted ssl::server_name cloudtrace.googleapis.com # ---------------------------------------------- # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Passively Intercepted HTTPS Traffic https_port 9091 cert=/etc/squid/example.com.cert key=/etc/squid/example.com.private ssl-bump intercept acl step1 at_step SslBump1 ssl_bump peek all ssl_bump splice domainIsWhitelisted ssl_bump terminate all # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Logging logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru %ssl::>sni HTTP/%rv access_log daemon:/var/log/squid/access_custom1.log custom1 access_log udp://127.0.0.1:5140 ======================= " Issue 2 " - So the reason for the upgrade is that some TLS 1.2 are being blocked when they should be whitelisted and it depends on the clients used, eg Curl vs Netty, i believe this maybe due to unsupported tls extensions but i can prove this as differences via tcpdump are minor. It this because my configuration above it incorrect. Kind regards Jared Fox DevOps Architect - Practiv _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
