Search squid archive

Re: squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I recommend changing your main port to this:

  http_port 3128 ssl-bump ....

This is set to this when it processes

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

and receiving the intercepted traffic on:

 http_port 3129 intercept ssl-bump …

Do you mean https?

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
Https uses that port 3129

What should I adapt 

http_port 
https_port?



On Jul 11, 2024, at 14:49, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

Oh, I see the problem:

 http_port 127.0.0.1:3128 intercept ...

(which also means you lack a firewall rule preventing external software like squidclient from sending traffic directly to your intercept port.)


Please **do not** use port 3128 to receive intercepted traffic.


I recommend changing your main port to this:

  http_port 3128 ssl-bump ....

and receiving the intercepted traffic on:

 http_port 3129 intercept ssl-bump ...


and check your firewall has all the rules listed at <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.
One to note in particular is the "mangle" table rule.


Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux