Hi We use Squid v5 with ssl_bump to decrypt only google domains. With a special configuration we also need to deny important websites. So far so good, but for performance reasons we don't want Squid to return the error pages. Since we have a lot of denied sites, it seems that Squid tries to bump returned error pages, which increases the resource consumption of the external plugin security_file_cert_gen considerably. We have tried using a TCP_RESET deny_info but this does not fix the bump operation In this peace of log, you can see that squid is forcing bump for Access Denied website under https: 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769) clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770) clientAccessCheckDone: AclMatchedName = all 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE to TCP_DENIED 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461) sslBumpAccessCheck: SslBump applies. Force bump action on error UNKNOWN 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562) sslBumpNeed: sslBump required: bump 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent back effectiveRequestUrl: beacons2.gvt2.com:443 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving 1 for SBuf77493929 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: SBuf77493929 new store capacity: 40 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry: storeCreateEntry: 'beacons2.gvt2.com:443' 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry: StoreEntry constructed, this=0x5561d9347e90 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject: MemObject constructed, this=0x5561d5e66f50 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing hdr: 0x5561d80af128 owner: 3 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris: 0x5561d5e66f50 storeId: beacons2.gvt2.com:443 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning SBuf77493930 from SBuf77493860 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01 e:=V/0x5561d9347e90*1 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert: StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key '71570400000000002412000002000000' 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562) sslBumpNeed: sslBump required: client-first 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: will peek at beacons2.gvt2.com:443 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: Ssl::ServerBump locked key 71570400000000002412000002000000 e:=XIV/0x5561d9347e90*2 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry: storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing hdr: 0x5561d66a8078 owner: 3 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No existing error page language negotiated for TEMPLATE_5. Using default error file. Ssl.conf # SSL used for port ID 1, :3128 on # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options Proxy version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the application knows what certificate to expect when accessing AppStore. #When you enable SSL Bump of HTTPS connections Squid replaces the default certificate with a ^`^xmimicked ^`^y one; #the application detects that and refuses to function. # acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert ssl::server_name .bnpparisbas acl notbump ssl::server_name .redtube.com acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 acl Me dst 127.0.0.1 192.168.58.11 acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf" ssl_bump splice notbump all ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice ssl_step1 Me ssl_bump splice ByPassRBL ssl_bump splice FakeCert # SNI Group sni_domains/ssl_sni # id:7 Type: ssl_sni acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump peek ssl_step1 all # 0 Splice rules... ssl_bump splice ByPassRBL ssl_bump splice GlobalWhitelistDSTNet # Rules (spliced) added by admins.... # 1 BUMP rules... ssl_bump bump ssl_step2 SNIGroup7 ssl_bump splice all tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow all http_access.conf #### tcp_outgoing_tos #### #### tcp_outgoing_tos 0 Rules #### # SquidUrgency = 0 exec.squid.global.access.php[2233] # HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order # mysql_for_port='' aclgpid=0 [L.174] # [3] rules [220] # webfilters_sqacls #2 : aclport=0 ( ) [239] [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow Port Direction=0 () # [L.320]: class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl AnnotateRule2 annotate_transaction accessrule=Rule2 http_access allow Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 ( ) [239] [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow Port Direction=0 () # [L.320]: class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl AnnotateRule4 annotate_transaction accessrule=Rule4 http_access allow Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 ( ) [239] [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port Direction=0 () # [L.320]: class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template Enabled for this ACL. # Final acl is all, Template ID=1 acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access deny CONNECT AnnotateRule3 deny_info TCP_RESET AnnotateRule3 acl MyAll dst 0.0.0.0/0 http_access deny Myall deny_info 302:http://artica/me Myall # # # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from engine (Line 2240) # # SquidStandardLDAPAuth = 0 # EnableOpenLDAP = 0 # SquidRadiusAuth = 0 # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src "/etc/squid3/acls/DenyIPSrc" acl AnnotateWindowsUpdates annotate_transaction accessrule=AllowWindowsUpdates http_access allow WindowsUpdates AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid v5.2----------------------- # ---------------------------------------------------------- # LDAP Auth = 0 acl AnnotateSafePorts annotate_transaction accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all AnnotateSafePorts http_access deny CONNECT !SSL_ports all AnnotateSafePorts deny_info TCP_RESET all acl AnnotateBLK annotate_transaction accessrule=global_blacklist http_access deny MyBlockedIPs AnnotateBLK http_access deny blockedsites AnnotateBLK http_access deny DomainsBlackLists AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include /etc/squid3/http_access_final.conf # END http_access (defaults) _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
