On Tuesday, April 21, 2020, 2:41:02 PM GMT+2, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote: >>On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> >>> Please see the FAQ: >>> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Why_can.27t_I_use_authentication_together_with_interception_proxying.3F> >>> >>> Why bother with the second proxy at all? The explicit proxy has access >>> to all the details the interception one does (and more - such as >>> credentials). It should be able to do all filtering necessary. > > On 21.04.20 12:33, Vieri wrote: >>Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with ICAP + squidclamav, for instance? > > yes. > >>Simply put, will I be able to block, eg. >> https://secure.eicar.org/eicarcom2.zip not by mimetype, file extension, >> url matching, etc., but by analyzing its content with clamav via ICAP? > > without bumping, you won't be able to block by anything, only by secure.eicar.org hostname. Hi, I'm not sure I understand how that should be configured. I whipped up a test instance with the configuration I'm showing below. My browser can authenticate via kerberos and access several web sites (http & https) if I explicitly set it to proxy everything to squid10.mydomain.org on port 3228. However, icap/clamav filtering is "not working" for neither http nor https. My cache log shows a lot of messages regarding "icap" when I try to download an eicar test file. So something is triggered, but before sending a huge log to the mailing list, what should I be looking for exactly, or is there a specific loglevel I should set? acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager pid_filename /run/squid.testexplicit.pid access_log daemon:/var/log/squid/access.test.log squid cache_log /var/log/squid/cache.test.log acl explicit myportname 3227 acl explicitbump myportname 3228 acl interceptedssl myportname 3229 http_port 3227 # http_port 3228 tproxy http_port 3228 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db_test -M 16MB sslcrtd_children 40 startup=20 idle=10 cache_dir diskd /var/cache/squid.test 32 16 256 external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/squid10.mydomain.org@MYREALNAME auth_param negotiate children 60 auth_param negotiate keep_alive on acl localnet src 10.0.0.0/8 acl localnet src 192.168.0.0/16 acl localnet src 172.16.0.1 acl localnet src fc00::/7 acl ORG_all proxy_auth REQUIRED http_access deny explicit !ORG_all #http_access deny explicit SSL_ports http_access deny explicitbump !localnet http_access deny explicitbump !ORG_all http_access deny interceptedssl !localnet http_access deny interceptedssl !ORG_all http_access allow CONNECT interceptedssl SSL_ports http_access allow localnet http_reply_access allow localnet http_access allow ORG_all debug_options rotate=1 ALL,9 # debug_options rotate=1 ALL,1 append_domain .mydomain.org ssl_bump stare all ssl_bump bump all http_access allow localhost http_access deny all coredump_dir /var/cache/squid icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav adaptation_access antivirus allow all icap_service_failure_limit -1 icap_persistent_connections off -- Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
