Re: [squid-users] Problems with HTTPS on Squid

2021-07-12 Thread Antony Stone 
On Monday 12 July 2021 at 20:12:03, Marcio B. wrote:

> I have the following problem on my Squid 4.6 on Debian 10.
> 
> Squid does not redirect the user to the error page when blocking an HTTPS
> url. On HTTP it works correctly.

Short answer - it can't.

Longer answer - browser requests https://thing.example.com

Squid won't allow connection to thing.example.com, and wants to send the 
browser to an error page instead.

The error page cannot possibly have the correct certificate for 
https://thing.example.com (because that's signed by some genuine CA), so the 
browser won't accept the error page as being valid.

Squid cannot even send an HTTP 302 redirect back to the browser, because that 
also is HTTPS content, and would need to have the correct certification for the 
browser to accept it and follow the redirect.

So, what you want is understandable, but not possible.

The only option I can think of is to add a CA certificate to all your browsers, 
and get Squid (somehow; sorry, I don't know how) to issue either a redirect or 
a substitute web page, claiming to tbe the original web server, and with a 
certificate signed by that CA that your browsers now trust.

I suspect that involves transparent interception, but someone might know how / 
whether it can be done.


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problems with HTTPS on Squid

2021-07-12 Thread Marcio B. 
I have the following problem on my Squid 4.6 on Debian 10.

Squid does not redirect the user to the error page when blocking an HTTPS
url. On HTTP it works correctly.

I don't use transparent proxy. The proxy is manually configured in the web
browser.

Here is my squid.conf configuration file:

http_port 3128
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95

maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 128 KB

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

error_directory /usr/share/squid/errors/pt-br
cache_mgr r...@empresa.com.br

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

fqdncache_size 1024

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern . 0 20% 4320

#Prioriza resolucao DNS IPv4
dns_v4_first on

cache_dir aufs /var/spool/squid 600 16 256

visible_hostname "Monitoramento-de-Acesso-a-Internet"

### acls
acl SSL_ports  port 443
acl Safe_ports port 21   # ftp
acl Safe_ports port 70   # gopher
acl Safe_ports port 80   # http
acl Safe_ports port 88   # kerberos
acl Safe_ports port 123  # ntp
acl Safe_ports port 210  # wais
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 3456 # Siafi
acl Safe_ports port 389  # ldap
acl Safe_ports port 443  # https
acl Safe_ports port 488  # gss-http
acl Safe_ports port 563  # snews
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl Safe_ports port 8080 # http
acl Safe_ports port 8443 # http
acl Safe_ports port 1025-65535   # unregistered ports
acl CONNECT method CONNECT

acl sistemas-bloqueados dstdomain "/etc/squid/acls/sistemas-bloqueados"
http_access deny sistemas-bloqueados

## Negotiate kerberos/NTLM module
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 200 startup=15 idle=5
auth_param negotiate keep_alive on

## NTLM Auth
auth_param ntlm program /usr/bin/ntlm_auth --use-cached-creds
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 110 startup=5 idle=5
auth_param ntlm keep_alive on
auth_param basic realm "Squid Proxy"

# Incorpora as regras do SquidGuard
#redirect_program /usr/bin/squidGuard
#redirect_children 20
#redirector_bypass on

acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all

### LAN #
acl rede_usuarios src 192.168.0.0/16

### Regras Padrao do Squid
#http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
#libera a resposta a partir do proxy
http_reply_access allow all
#acl manager proto cache_object

### Allow LAN
http_access allow rede_usuarios

#cache_effective_user proxy
coredump_dir /var/spool/squid

# SquidGuard
url_rewrite_program /usr/bin/squidGuard
redirector_bypass on


As I don't use proxy transparence, is it necessary to create SSL
certificate for my Proxy server?

Can anybody help me?

Regards,

Márcio Bacci
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] refresh_pattern and "?"

2021-07-12 Thread Vincent Tamet 
Hi,

I would like to know how to deactivate the "?" refresh_pattern filter ?
(As most web pages nowaday should use cache-control or expire, I guess the
correct usage of headers should be enough to permit us to cache requests
with "?" !?
Advice are welcome...)

For example for /cgi-bin/:
#refresh_pattern -i (/cgi-bin/) 0  0%0
1626107114.552812 192.168.14.224 TCP_MEM_HIT/200 1988993 GET
https://test5vince.titi.com/cgi-bin/201.gif - HIER_NONE/- image/gif

refresh_pattern -i (/cgi-bin/) 0  0%0
1626107233.336   4729 192.168.14.224 TCP_REFRESH_UNMODIFIED_ABORTED/200
229496 GET https://test5vince.titi.com/cgi-bin/201.gif - FIRSTUP_PARENT/
127.0.0.1 image/gif

But for \?:
#refresh_pattern -i (/cgi-bin/|\?) 0   0%0
1626107559.200   6441 192.168.14.224 TCP_MISS/200 1988987 GET
https://test5vince.titi.com/201.gif? - FIRSTUP_PARENT/127.0.0.1 image/gif

Best regards
Vince

PS:
< HTTP/2 200
< server: nginx
< date: Mon, 12 Jul 2021 16:42:31 GMT
< content-type: image/gif
< content-length: 1988458
< last-modified: Mon, 12 Jul 2021 16:18:23 GMT
< cache-control: max-age=1800
< strict-transport-security: max-age=60; includeSubDomains
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< accept-ranges: bytes
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] issues with old version of TLS/SSL certificate

2021-07-12 Thread Antony Stone 
On Monday 12 July 2021 at 18:58:43, Alex Irmel Oviedo Solis wrote:

> Hello all, I'm trying to download a file from
> https://prodcont.seace.gob.pe

> SSLLabs review shows that server supports only TLS 1.0

> Any solution please?

If you're trying to download a specific file from a specific server, which 
doesn't support current encryption protocols, is it absolutely essential to 
you that you download it via Squid?

In other words, I suggest you just connect to the machine directly, download 
the file, and then either forget about the server's outdated encryption 
capabilities, or inform the website maintainers (if there are any?) and see 
whether they care enough to bring it up to date.

Either way, you have your file, and you don't have to work out how to persuade 
Squid to do somethng that's really not a good idea to start with.


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] issues with old version of TLS/SSL certificate

2021-07-12 Thread Alex Irmel Oviedo Solis 
Hello all, I'm trying to download a file from https://prodcont.seace.gob.pe,
it seems have an old  version certificate, the error that shows squid is:
//---Begin of error
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
//---End of error

SSLLabs review shows that server supports only TLS 1.0

I tryed putting this line into my squid.conf without success:
tls_outgoing_options cafile=/etc/squid/cacert.pem min-version=1.0
options=ALL

Any solution please?

-- 
*"Una alegría compartida se transforma en doble alegría; una pena
compartida, en media pena."*
--> http://www.alexove.me 
--> Celular (Movistar): +51-959-625-001
--> Sigueme en Twitter: http://twitter.com/alexove_pe
--> Perfil: http://fedoraproject.org/wiki/user:alexove
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users