Search squid archive

Re: squid-users Digest, Vol 97, Issue 20

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/09/22 00:39, Adiseshu Channasamudhram wrote:
Hello Amos

Thank you for looking in to this. Below is the configuration ...



FYI, below is advice for Squid-4+, if you have an older version then please upgrade ASAP. Current stable Squid is v5.7.



###########################
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h


"squid" is the registered name for Squid native log format. Some Squid versions will silently use the built-in format instead of yours. Recent versions will complain about this.

Please use a custom name for custom formats:

  logformat nuance ...


cache_access_log /var/log/squid/access.log  squid

This directive is called "access_log". Remove the "cache_" part.

  access_Log daemon:/var/log/squid/access.log logformat=nuance


pid_filename /var/run/squid.pid


This should not need configuring in any modern Squid.


visible_hostname nuance-ak-client-test2


The above should be a FQDN resolvable in DNS. It will be used in URLs presented to clients in error pages etc.


acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT

cache deny all

To fully disable caching you should also add:
  cache_mem 0 KB


dns_v4_first on

http_port 443 tcpkeepalive=60,30,3 ssl-bump

This may be your problem.

 - Port 443 is for encrypted TLS traffic.
- "http_port" requires plain-text HTTP traffic. Encrypted TLS arriving here directly will guaranteed result in your log "error:invalid-request" entries.

A working configuration for port 443 would be:

  https_port 443 \
    tls-cert=/etc/squid/squidCA.pem \
    cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS \
    options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE \
    tls-dh=prime256v1:/etc/squid/bump_dhparam.pem \
    tcpkeepalive=60,30,3


FYI, NO_SSLv2 is no longer supported with latest Squid. All SSLv2 related features are fully prohibited by default. Including these disable options.


# Below, a.b.c.d is the backend IP
cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev


FYI: DONT_VERIFY_PEER disables the 2-way security on these backend connections.

Please *actually* setup 2-way TLS validation. Like so:

* Check that /etc/certs/abc.crt contains the *Client Certificate* Squid is supposed to send in 2-way TLS to this backend.

* Check that /etc/certs/key.pem is the private key matching the content of /etc/certs/abc.crt.

* Add the sslcafile= option with the specific PEM file containing the root CA which signed the Server Certificate of a.b.c.d.

 * Remove both sslcapath= and sslflags=DONT_VERIFY_PEER


FWIW, you could merge /etc/certs/abc.crt and /etc/certs/key.pem into one PEM file and load it with "sslcert=/etc/certs/squid.pem". In modern Squid that file can also contain any necessary chained CA intermediary certificates.


acl dev myport 443
acl dev myport 80
acl dev myport 3129


Use "myportname" ACL type instead.

  acl dev myportname 443 80 3129


FWIW, you have not shown any port 80 or 3129 settings. Without http(s)_port lines using those as names the values are pointless in this ACL.


http_access allow all


Your network description specified there is a "frontend" receiving traffic before relaying it to Squid. You should configure these http_access to deny traffic arriving without going through those frontend(s). The default squid.conf defines an ACL called "localnet" for things like this.


cache_peer_access dev allow dev
#cache_peer_access dev deny all

There are no rules specifying what to do with traffic that does not go through the peer. That means Squid will currently try to go directly to the Internet for all that.

Your network topology description specified that there was a backend receiving all traffic. To enforce that you need the following rule:

  never_direct allow all


#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all

With the port 443 configuration fixed your Squid is no longer performing SSL-Bump. You can remove all these above settings.


sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

These settings should never be configured like this. All it does is hide log entries informing you about security issues. The issues themselves still occur.

You should remove them and resolve any issues that are then visible.
FWIW, once never_direct is used and the cache_peer is fixed these should not be necessary configuring at all.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux