On 13/09/22 00:39, Adiseshu Channasamudhram wrote:
Hello Amos
Thank you for looking in to this. Below is the configuration ...
FYI, below is advice for Squid-4+, if you have an older version then
please upgrade ASAP. Current stable Squid is v5.7.
###########################
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un
%Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h
"squid" is the registered name for Squid native log format. Some Squid
versions will silently use the built-in format instead of yours. Recent
versions will complain about this.
Please use a custom name for custom formats:
logformat nuance ...
cache_access_log /var/log/squid/access.log squid
This directive is called "access_log". Remove the "cache_" part.
access_Log daemon:/var/log/squid/access.log logformat=nuance
pid_filename /var/run/squid.pid
This should not need configuring in any modern Squid.
visible_hostname nuance-ak-client-test2
The above should be a FQDN resolvable in DNS. It will be used in URLs
presented to clients in error pages etc.
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
cache deny all
To fully disable caching you should also add:
cache_mem 0 KB
dns_v4_first on
http_port 443 tcpkeepalive=60,30,3 ssl-bump
This may be your problem.
- Port 443 is for encrypted TLS traffic.
- "http_port" requires plain-text HTTP traffic. Encrypted TLS arriving
here directly will guaranteed result in your log "error:invalid-request"
entries.
A working configuration for port 443 would be:
https_port 443 \
tls-cert=/etc/squid/squidCA.pem \
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE \
tls-dh=prime256v1:/etc/squid/bump_dhparam.pem \
tcpkeepalive=60,30,3
FYI, NO_SSLv2 is no longer supported with latest Squid. All SSLv2
related features are fully prohibited by default. Including these
disable options.
# Below, a.b.c.d is the backend IP
cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest
originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem
sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev
FYI: DONT_VERIFY_PEER disables the 2-way security on these backend
connections.
Please *actually* setup 2-way TLS validation. Like so:
* Check that /etc/certs/abc.crt contains the *Client Certificate*
Squid is supposed to send in 2-way TLS to this backend.
* Check that /etc/certs/key.pem is the private key matching the
content of /etc/certs/abc.crt.
* Add the sslcafile= option with the specific PEM file containing the
root CA which signed the Server Certificate of a.b.c.d.
* Remove both sslcapath= and sslflags=DONT_VERIFY_PEER
FWIW, you could merge /etc/certs/abc.crt and /etc/certs/key.pem into one
PEM file and load it with "sslcert=/etc/certs/squid.pem". In modern
Squid that file can also contain any necessary chained CA intermediary
certificates.
acl dev myport 443
acl dev myport 80
acl dev myport 3129
Use "myportname" ACL type instead.
acl dev myportname 443 80 3129
FWIW, you have not shown any port 80 or 3129 settings. Without
http(s)_port lines using those as names the values are pointless in this
ACL.
http_access allow all
Your network description specified there is a "frontend" receiving
traffic before relaying it to Squid. You should configure these
http_access to deny traffic arriving without going through those
frontend(s). The default squid.conf defines an ACL called "localnet" for
things like this.
cache_peer_access dev allow dev
#cache_peer_access dev deny all
There are no rules specifying what to do with traffic that does not go
through the peer. That means Squid will currently try to go directly to
the Internet for all that.
Your network topology description specified that there was a backend
receiving all traffic. To enforce that you need the following rule:
never_direct allow all
#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
With the port 443 configuration fixed your Squid is no longer performing
SSL-Bump. You can remove all these above settings.
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
These settings should never be configured like this. All it does is hide
log entries informing you about security issues. The issues themselves
still occur.
You should remove them and resolve any issues that are then visible.
FWIW, once never_direct is used and the cache_peer is fixed these should
not be necessary configuring at all.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
