Re: [squid-users] LDAP Auth re-prompting for credentials on browser close, need suggestions
On 7/29/2015 5:20 PM, Amos Jeffries wrote: Found this post asking the same question: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Ldap-Authen-AD-how-to-make-authentication-persistent-td3604487.html and it There were two suggestions that stood out: There used to be a "authenticate_ip_shortcircuit_ttl" option in squid 2.7 that when authenticated successfully, it would remember the users IP for X amount of time and would let you avoid logging in every time you reopen your browser. They removed that in later versions unfortunately, I guess because someone could take over your IP and would be able to authenticate as you(which is not a concern to me, at all). It should. Theres this thing called NAT you see, which places multiple users behind a single IP. The first one to login with IP-based auth. Since IPv4 ran out back in 2003 a number of networks have started using one layer. Since 2010 when IPv4 stopped being readily available its become more and more popular to use 2 and even 3 layers of NAT between any two machines. Just so they can talk. Then there is this thing called DHCP. I guess this is what you mean by one user taking over anothers IP. Since the DHCP service allocates any available IP to user devices on request. If a device goes away its IP can get re-used immediately by another device. Its uite difficult to get Squid to be aware of any of those changes and update its auth information. Then there is the thing called "privacy addressing". In IPv6 its built-in, with IPv4 its done using DHCP short dynamic assignments. It means the IP address assigned to user devices is guaranteed to change frequently and randomly. Now, if your network can operate without NAT or DHCP, or IPv6. You are one of the very rare lucky people for whom IP-shortcut based auth *might* work. But only until you have a malicious user contact the network and start spoofing users IPs. IP address based authentication is, well. Dead. Okay, well I know how NAT and DHCP works, so I guess I am one of those rare cases you talk about. We have no NATs, I am only trying to use squid on a small section of our network which has statically assigned IP addresses and they have no admin rights to change it. They are open 24/7 so some stranger walking in, plugging his laptop on our network and trying to figure out which IP is already authenticated is very unlikely since everybody knows each other and it noticed/reported. That's why this does not concern me. I was also only planning to have it remember the IP for maybe 1 hour. On the other hand, having users re-authenticate every time they close their browser would irritate them and possibly cause confusion as most of them are not very technical(It might just be something they will need to adjust to after all). So in my case, either I figure out a way to go about this (I saw your suggestions below and am going to do some reading) or I might have to not implement any authentication at all, which I think is worse. The other suggestion would be to use an external ACL helper but they did not include one or any example in the post. Would anyone happen to have an example of a helper that does this or some other way I can go about pulling this off? "Windows Integrated Authentication" is what IE is using not to have to ask user for credentials. Some credentials were given when they logged into the machine, and are used by the browser to send to Squid as needed (and only as needed). Sometimes called Single-Sign-On or Federated authentication. I hear the other browsers need some config to use it. But can't recall right now what that is. I will look around for this config option and check out SSO/Federated authentication, I appreciate the hint. If I can't figure out a way to get this going I will speak to management to see if this is an acceptable tradeoff. I am just exploring my options before I do. For Squid it should work with Basic auth. Dont believe the myths that say Windows auth == NTLM. Whether *a* popup is seen also depends on whether the browser password manager is in use. One always need to unlock that manually when opening a browser. The actual Squid credentials are fetched from there after its opened. And no that popup is *not* part of HTTP auth. Thanks for clearing that up and your responses, much appreciated. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] LDAP Auth re-prompting for credentials on browser close, need suggestions
Hey, I configured the basic_ldap_helper from Squid to my LDAP. Everytime I open the browser I am forced to re-auth. All of them except for Internet Explorer..But who uses IE anyways? It seems like this is not a Squid issue, but a browser thing. Found this post asking the same question: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Ldap-Authen-AD-how-to-make-authentication-persistent-td3604487.html and it There were two suggestions that stood out: There used to be a "authenticate_ip_shortcircuit_ttl" option in squid 2.7 that when authenticated successfully, it would remember the users IP for X amount of time and would let you avoid logging in every time you reopen your browser. They removed that in later versions unfortunately, I guess because someone could take over your IP and would be able to authenticate as you(which is not a concern to me, at all). The other suggestion would be to use an external ACL helper but they did not include one or any example in the post. Would anyone happen to have an example of a helper that does this or some other way I can go about pulling this off? Thanks in advance. Mike ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Compiling squid with 'url_rewrite' support?
Spoke to soon, there is a free one. Going to give it a shot, thanks again. - Original Message - From: "Michael Monette" To: "Michael Monette" Cc: "Yuri Voinov" , "squid-users" Sent: Wednesday, July 15, 2015 11:17:08 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? I love how they say ufdbguard is Free and Open Source...followed by a pricing option. - Original Message - From: "Michael Monette" To: "Yuri Voinov" Cc: "squid-users" Sent: Wednesday, July 15, 2015 11:15:07 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? Cool! I'm just beginning to explore these things, so I am glad I asked the question. I am going to check out ufbdguard now. Thank you all - Original Message - From: "Yuri Voinov" To: "squid-users" Sent: Wednesday, July 15, 2015 11:00:55 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Confirm. ufdbguard is great redirector. It has a bit small problem with some reporting tools (like SARG), but nothing important. 15.07.15 20:57, Amos Jeffries пишет: > On 16/07/2015 2:42 a.m., Michael Monette wrote: >> Hello, >> >> This might be a stupid question.. >> >> I started looking at squidGuard. Looks pretty straight forward and >> fairly easy to implement it but for some reason I could not get it to >> actually work, the blacklists were still being bypassed. I was using >> Squid-3.5.4 from source because I need the ssl::server_name ACL. I >> tried to install regular squid-3.1.10 from the YUM repo and using the >> same config file (disabling the at_step and ssl::servername stuff) >> and everything worked right away without needing to touch anything >> else in squid.conf. My blacklists were active. >> >> Do I need to compile squid in a certain way to that url_rewrite >> works? Or is that something that works and is enabled by default? > > Nope, its an always-built component of Squid. > > SquidGuard is an old and no longer maintained project. It may need > patching manually to work with current Squid versions > (<http://bugs.squid-cache.org/show_bug.cgi?id=3978> has the patches). > > ufdbGuard is much more up to date and performant if you actually have to > use a tool. Squid can be configured to do itself almost everything the > helpers do. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVpnWnAAoJENNXIZxhPexGZ0cH/3OObwZEiQgn9d13WMy/dIGH IB/KhQ9VMYk2YF/mZrhisSMIDb90Y7r2XmWSZHH46ZdbFtoXppBKrzUtqoy9RpkF +UuhIHLb5bCIPO2DIFrMVQoF6ACCxL0jfML5LR5WHbwJy+B6u+x5WUERU/dR006W 2x2bUsrOz48KrBK4wwb9GFhdJDOs7gTfaClBa1gx5h3x1wtT8FCC0zahOBs3aMy5 bYSyb22a59gDFhfXPKum32o8Y3tRvUpCID8VSgxpKVeJcZNG8KGmh+vg/jrms5OK 6WDIlp9TpfNH/RTALfXyctp9Wr5smJSLkKuYaaAmAWUJMpH+zh7Vs/hblv/kmRg= =dPG9 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Compiling squid with 'url_rewrite' support?
I love how they say ufdbguard is Free and Open Source...followed by a pricing option. - Original Message - From: "Michael Monette" To: "Yuri Voinov" Cc: "squid-users" Sent: Wednesday, July 15, 2015 11:15:07 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? Cool! I'm just beginning to explore these things, so I am glad I asked the question. I am going to check out ufbdguard now. Thank you all - Original Message - From: "Yuri Voinov" To: "squid-users" Sent: Wednesday, July 15, 2015 11:00:55 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Confirm. ufdbguard is great redirector. It has a bit small problem with some reporting tools (like SARG), but nothing important. 15.07.15 20:57, Amos Jeffries пишет: > On 16/07/2015 2:42 a.m., Michael Monette wrote: >> Hello, >> >> This might be a stupid question.. >> >> I started looking at squidGuard. Looks pretty straight forward and >> fairly easy to implement it but for some reason I could not get it to >> actually work, the blacklists were still being bypassed. I was using >> Squid-3.5.4 from source because I need the ssl::server_name ACL. I >> tried to install regular squid-3.1.10 from the YUM repo and using the >> same config file (disabling the at_step and ssl::servername stuff) >> and everything worked right away without needing to touch anything >> else in squid.conf. My blacklists were active. >> >> Do I need to compile squid in a certain way to that url_rewrite >> works? Or is that something that works and is enabled by default? > > Nope, its an always-built component of Squid. > > SquidGuard is an old and no longer maintained project. It may need > patching manually to work with current Squid versions > (<http://bugs.squid-cache.org/show_bug.cgi?id=3978> has the patches). > > ufdbGuard is much more up to date and performant if you actually have to > use a tool. Squid can be configured to do itself almost everything the > helpers do. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVpnWnAAoJENNXIZxhPexGZ0cH/3OObwZEiQgn9d13WMy/dIGH IB/KhQ9VMYk2YF/mZrhisSMIDb90Y7r2XmWSZHH46ZdbFtoXppBKrzUtqoy9RpkF +UuhIHLb5bCIPO2DIFrMVQoF6ACCxL0jfML5LR5WHbwJy+B6u+x5WUERU/dR006W 2x2bUsrOz48KrBK4wwb9GFhdJDOs7gTfaClBa1gx5h3x1wtT8FCC0zahOBs3aMy5 bYSyb22a59gDFhfXPKum32o8Y3tRvUpCID8VSgxpKVeJcZNG8KGmh+vg/jrms5OK 6WDIlp9TpfNH/RTALfXyctp9Wr5smJSLkKuYaaAmAWUJMpH+zh7Vs/hblv/kmRg= =dPG9 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Compiling squid with 'url_rewrite' support?
Cool! I'm just beginning to explore these things, so I am glad I asked the question. I am going to check out ufbdguard now. Thank you all - Original Message - From: "Yuri Voinov" To: "squid-users" Sent: Wednesday, July 15, 2015 11:00:55 AM Subject: Re: [squid-users] Compiling squid with 'url_rewrite' support? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Confirm. ufdbguard is great redirector. It has a bit small problem with some reporting tools (like SARG), but nothing important. 15.07.15 20:57, Amos Jeffries пишет: > On 16/07/2015 2:42 a.m., Michael Monette wrote: >> Hello, >> >> This might be a stupid question.. >> >> I started looking at squidGuard. Looks pretty straight forward and >> fairly easy to implement it but for some reason I could not get it to >> actually work, the blacklists were still being bypassed. I was using >> Squid-3.5.4 from source because I need the ssl::server_name ACL. I >> tried to install regular squid-3.1.10 from the YUM repo and using the >> same config file (disabling the at_step and ssl::servername stuff) >> and everything worked right away without needing to touch anything >> else in squid.conf. My blacklists were active. >> >> Do I need to compile squid in a certain way to that url_rewrite >> works? Or is that something that works and is enabled by default? > > Nope, its an always-built component of Squid. > > SquidGuard is an old and no longer maintained project. It may need > patching manually to work with current Squid versions > (<http://bugs.squid-cache.org/show_bug.cgi?id=3978> has the patches). > > ufdbGuard is much more up to date and performant if you actually have to > use a tool. Squid can be configured to do itself almost everything the > helpers do. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVpnWnAAoJENNXIZxhPexGZ0cH/3OObwZEiQgn9d13WMy/dIGH IB/KhQ9VMYk2YF/mZrhisSMIDb90Y7r2XmWSZHH46ZdbFtoXppBKrzUtqoy9RpkF +UuhIHLb5bCIPO2DIFrMVQoF6ACCxL0jfML5LR5WHbwJy+B6u+x5WUERU/dR006W 2x2bUsrOz48KrBK4wwb9GFhdJDOs7gTfaClBa1gx5h3x1wtT8FCC0zahOBs3aMy5 bYSyb22a59gDFhfXPKum32o8Y3tRvUpCID8VSgxpKVeJcZNG8KGmh+vg/jrms5OK 6WDIlp9TpfNH/RTALfXyctp9Wr5smJSLkKuYaaAmAWUJMpH+zh7Vs/hblv/kmRg= =dPG9 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Compiling squid with 'url_rewrite' support?
Hello, This might be a stupid question.. I started looking at squidGuard. Looks pretty straight forward and fairly easy to implement it but for some reason I could not get it to actually work, the blacklists were still being bypassed. I was using Squid-3.5.4 from source because I need the ssl::server_name ACL. I tried to install regular squid-3.1.10 from the YUM repo and using the same config file (disabling the at_step and ssl::servername stuff) and everything worked right away without needing to touch anything else in squid.conf. My blacklists were active. Do I need to compile squid in a certain way to that url_rewrite works? Or is that something that works and is enabled by default? Here are my ./configure options: ./configure --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid \ --localstatedir=/var --sysconfdir=/etc/squid --with-included-ltdl --enable-ltdl-convenience --with-openssl --enable-ssl-crtd --with-logdir=/var/log/squid My url_rewrite line from squid.conf: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf Let me know if I am missing anything. In the mean time I am going to keep playing with it it. Thanks, Mike ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How can I change the location of the kerberos cache file?
Have you tried a symlink? I know it's not the best answer, but could work until you figure out a real solution - Original Message - From: "Michael Pelletier" To: "squid-users" Sent: Monday, June 22, 2015 11:48:20 AM Subject: [squid-users] How can I change the location of the kerberos cache file? Hello, Squid is keeping the kerberos cache file in /var/tmp. How can I change the location? # ls -al /var/tmp/ total 864 drwxrwxrwt. 3 root root 36864 Jun 22 11:43 . drwxr-xr-x. 22 root root 4096 May 9 23:55 .. -rw-r--r-- 1 root root 0 Jun 21 20:09 .fsrlast_xfs drwx--. 2 root root 16384 May 9 19:01 lost+found -rw--- 1 squid squid 823779 Jun 22 11:43 SVC-137Proxy-137Kerb-137Auth_23 Thanks in advance, Michael Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid, Gmail.com and HSTS.
Sorry for the noise - I figured it out. HTTPS was completely dead which made me wonder if squid was working properly. It turns out I had some folder permission issues. I needed to chmod -R 777 /var/lib/ssl_db. I guess lack of permissions to that directory caused cert generation to fail and HTTPS to break..Thanks for reading - Original Message - From: "Michael Monette" To: "Amos Jeffries" Cc: "squid-users" Sent: Wednesday, June 10, 2015 10:25:21 AM Subject: Re: [squid-users] Squid, Gmail.com and HSTS. Hi again, I finally had some time to get back into this, been a busy couple weeks. I compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and now things seem to be working better with ssl::servername. But for some reason I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is getting their certificate from the real sites and I don't really know why because it's the same config as before. Here's a small capture of the logs: 1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html 1433945978.918306 10.117.67.157 TCP_MISS/302 658 GET http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 - 1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.972 1068 10.117.67.157 TCP_MISS/204 719 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945982.006100 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html 1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem when I had been working on this a couple weeks and I was able to get myself out of it by messing with the bump steps, but I can't seem to figure it out this time(or I just can't remember). Hoping for some guidance or hints. Here's my log again: # cat /etc/squid/squid.conf ~ debug_options ALL,9 acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump bump step2 all ssl_bump bump step3 all acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com #acl bl1 url_regex -i ^http(s)?://gmail.com #acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.* #acl bl3 url_regex -i ^http(s)?://moz.com.* #acl bl4 url_regex -i moz.com deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless. http_reply_access deny bl1 # useless #http_access deny bl1 #http_access deny bl1 CONNECT http_access allow localnet http_access allow localhost http_access allow all http_port 3128 accel vhost allow-direct #https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_options NO_SSLv2 sslproxy_options NO_SSLv3 sslcrtd_progra
Re: [squid-users] Squid, Gmail.com and HSTS.
Hi again, I finally had some time to get back into this, been a busy couple weeks. I compiled squid with the "--with-openssl --enable-ssl-crtd" you mentioned, and now things seem to be working better with ssl::servername. But for some reason I can't get HTTPS traffic to get a cert from squid. All HTTPS traffic is getting their certificate from the real sites and I don't really know why because it's the same config as before. Here's a small capture of the logs: 1433945978.888 95 10.117.67.157 TCP_MISS/302 694 GET http://a.tribalfusion.com/z/i.match? - HIER_DIRECT/204.11.109.68 text/html 1433945978.918306 10.117.67.157 TCP_MISS/302 658 GET http://pixel.advertising.com/ups/50/sync? - HIER_DIRECT/149.174.67.72 - 1433945978.994 72 10.117.67.157 TCP_MISS/204 737 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945979.147 65 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.152 58 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945979.972 1068 10.117.67.157 TCP_MISS/204 719 GET http://su.addthis.com/red/usync? - HIER_DIRECT/104.16.24.235 image/png 1433945981.527 50 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945981.753 52 10.117.67.157 TAG_NONE/200 0 CONNECT 104.236.7.74:443 - ORIGINAL_DST/104.236.7.74 - 1433945982.006100 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html 1433945983.769 55 10.117.67.157 TCP_MISS/200 546 GET http://www.google.ca/ads/user-lists/1072396910/? - HIER_DIRECT/216.254.140.45 text/html All the HTTPS traffic are just CONNECT's. I feel like I ran into this problem when I had been working on this a couple weeks and I was able to get myself out of it by messing with the bump steps, but I can't seem to figure it out this time(or I just can't remember). Hoping for some guidance or hints. Here's my log again: # cat /etc/squid/squid.conf ~ debug_options ALL,9 acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump bump step2 all ssl_bump bump step3 all acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com #acl bl1 url_regex -i ^http(s)?://gmail.com #acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.* #acl bl3 url_regex -i ^http(s)?://moz.com.* #acl bl4 url_regex -i moz.com deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless. http_reply_access deny bl1 # useless #http_access deny bl1 #http_access deny bl1 CONNECT http_access allow localnet http_access allow localhost http_access allow all http_port 3128 accel vhost allow-direct #https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_options NO_SSLv2 sslproxy_options NO_SSLv3 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 #cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 - Original Message - From: "Amos Jeffries" To: "Michael Monette" Cc: "squid-users" Sent: Wednesday, May 27, 2015
Re: [squid-users] Squid, Gmail.com and HSTS.
Yeah I don't know what I am doing wrong but I don't have these ACL types..Or I am somehow not copy & pasting properly: FATAL: Invalid ACL type 'ssl::server_name' FATAL: Bungled /etc/squid/squid.conf line 54: acl nobumpsites ssl::server_name .google.com Squid Cache (Version 3.5.4): Terminated abnormally. CPU Usage: 0.005 seconds = 0.003 user + 0.002 sys Maximum Resident Size: 24096 KB Page faults with physical i/o: 0 Squid restarted [root@ottt-corp-paz-squid-1 squid-3.5.4]# squid -v Squid Cache: Version 3.5.4 Service Name: squid configure options: '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-included-ltdl' --enable-ltdl-convenience There are also issues with "at_step" now: 2015/05/27 14:32:17| FATAL: Invalid ACL type 'at_step' FATAL: Bungled /etc/squid/squid.conf line 52: acl step1 at_step SslBump1 Squid Cache (Version 3.5.4): Terminated abnormally. CPU Usage: 0.005 seconds = 0.003 user + 0.002 sys Maximum Resident Size: 24080 KB Page faults with physical i/o: 0 Did I miss something when compiling? I just followed what was on the Squid wiki. I am all out of ideas.. Thanks, Mike - Original Message - From: "Amos Jeffries" To: "squid-users" Sent: Wednesday, May 27, 2015 1:20:33 PM Subject: Re: [squid-users] Squid, Gmail.com and HSTS. On 28/05/2015 4:15 a.m., Michael Monette wrote: > Has anyone been able to configure Squid in a way so that if you type https://gmail.com in your browser, you are NOT presented with the "OMG HSTS I refuse to load anything" page? When I go to https://gmail.com, I get an invalid certificate because the cert is for mail.google.com, issued by my CA. If I go to https://mail.google.com, the cert is beautifully green. Why can't squid detect that gmail.com is redirecting my browser to mail.google.com and generate the cert accordingly? That is *actually* what their server certificate contains. Ironic isn't it that their own certs do not comply with the restrictions they require of all others. Squid actually does obey HSTS requirements for secure handling of the reqeust. Its just the browser is incapable of detecting that, notices the custom CA and assumes the worst. > > Even configuring an acl for gmail.com doesn't work. It seems like > even though I am punching https://gmail.com in my browser, Squid detects it as though I am typing "https://mail.google.com"; in my browser and is ignoring any ACLs I have setup specifically for "gmail.com". > > I can't be the only one with this issue? > > > I've also attempted to do: > > acl bl1 gmail.com moz.com > always_direct allow bl1 <- from what I understand this bypasses squid and > tells my browser to get the cert right from the site. Maybe I am wrong. > You are. squid.conf has nothing to do with your browser. That line tells Squid not to use any cache_peer connections when serving a request that matches ACL "bl1". In the very first implementation way, way back in 3.1 decrypted requests could leak out over insecure cache_peer. So people were advised to use "always_direct allow all" to force it to work correctly. That bug was fixed long ago but the config still persists in the web. > But certificates still come from Squid, so I don't see any effect from that > line. > > Here's my config, lots of garbage in there since I have been trying > everything i can think of to get this working. I want to add that for my acl > called BL1, the only one that works is moz.com . They are part of the same > ACL line, so if one works, they should all work. Except they do not. > > Thanks in advance. > > cat /etc/squid/squid.conf > > ~~ > > debug_options ALL,9 > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12# RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > > acl SSL_ports port 443 > acl Safe_ports port 80# http > acl Safe_ports port 21# ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70# gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535# unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_
Re: [squid-users] Squid, Gmail.com and HSTS.
I just thought of something else. First of all I'm new to squid and I am not aware of 10% of the things its capable of yet so I will ask. Is squid capable of adding custom SNIs? Like could I have it so gmail.com is added to the certificate as a subject alternate name EVEN though the original certificate doesn't contain it? If such a thing is possible I would love to know the term for it so I can do some searches. Appreciate it! On May 27, 2015 12:15:37 PM EDT, Michael Monette wrote: >Has anyone been able to configure Squid in a way so that if you type >https://gmail.com in your browser, you are NOT presented with the "OMG >HSTS I refuse to load anything" page? When I go to https://gmail.com, I >get an invalid certificate because the cert is for mail.google.com, >issued by my CA. If I go to https://mail.google.com, the cert is >beautifully green. Why can't squid detect that gmail.com is redirecting >my browser to mail.google.com and generate the cert accordingly? > >Even configuring an acl for gmail.com doesn't work. It seems like even >though I am punching https://gmail.com in my browser, Squid detects it >as though I am typing "https://mail.google.com"; in my browser and is >ignoring any ACLs I have setup specifically for "gmail.com". > >I can't be the only one with this issue? > > > >I've also attempted to do: > >acl bl1 gmail.com moz.com >always_direct allow bl1 <- from what I understand this bypasses squid >and tells my browser to get the cert right from the site. Maybe I am >wrong. > >But certificates still come from Squid, so I don't see any effect from >that line. > >Here's my config, lots of garbage in there since I have been trying >everything i can think of to get this working. I want to add that for >my acl called BL1, the only one that works is moz.com . They are part >of the same ACL line, so if one works, they should all work. Except >they do not. > >Thanks in advance. > >cat /etc/squid/squid.conf > >~~ > >debug_options ALL,9 > >acl localnet src 10.0.0.0/8# RFC1918 possible internal network >acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >acl localnet src 192.168.0.0/16# RFC1918 possible internal network >acl localnet src fc00::/7 # RFC 4193 local private network range >acl localnet src fe80::/10 # RFC 4291 link-local (directly >plugged) machines > >acl SSL_ports port 443 >acl Safe_ports port 80 # http >acl Safe_ports port 21 # ftp >acl Safe_ports port 443# https >acl Safe_ports port 70 # gopher >acl Safe_ports port 210# wais >acl Safe_ports port 1025-65535 # unregistered ports >acl Safe_ports port 280# http-mgmt >acl Safe_ports port 488# gss-http >acl Safe_ports port 591# filemaker >acl Safe_ports port 777# multiling http >acl CONNECT method CONNECT > > >http_access deny !Safe_ports > >http_access deny CONNECT !SSL_ports > >http_access allow localhost manager >http_access deny manager > >acl step1 at_step SslBump1 >acl step2 at_step SslBump2 >acl step3 at_step SslBump3 > >ssl_bump peek step1 all >ssl_bump bump step2 all >ssl_bump bump step3 all > >acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com >#acl bl1 url_regex -i ^http(s)?://gmail.com >#acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.* >#acl bl3 url_regex -i ^http(s)?://moz.com.* >#acl bl4 url_regex -i moz.com >deny_info http://ask.com bl1 # I was testing redirecting stuff, but >since the acl is not even picked up, this stuff is useless. >http_reply_access deny bl1 # useless >#http_access deny bl1 >#http_access deny bl1 CONNECT > >http_access allow localnet >http_access allow localhost > >http_access allow all > >http_port 3128 accel vhost allow-direct > >#https_port 3129 transparent ssl-bump generate-host-certificates=on >dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem >key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 >https_port 3129 intercept ssl-bump generate-host-certificates=on >dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem >key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 > >sslproxy_cert_error allow all >sslproxy_flags DONT_VERIFY_PEER > >sslproxy_options NO_SSLv2 >sslproxy_options NO_SSLv3 > >sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >sslcrtd_children 8 startup=1 idle=1 > >#cache_dir ufs /var/spool/squid 100 16 256 >coredump_dir /var/spool/squid > >refresh_pattern ^ftp: 144020% 10080 >refresh_pattern ^gopher: 14400% 144
[squid-users] Squid, Gmail.com and HSTS.
Has anyone been able to configure Squid in a way so that if you type https://gmail.com in your browser, you are NOT presented with the "OMG HSTS I refuse to load anything" page? When I go to https://gmail.com, I get an invalid certificate because the cert is for mail.google.com, issued by my CA. If I go to https://mail.google.com, the cert is beautifully green. Why can't squid detect that gmail.com is redirecting my browser to mail.google.com and generate the cert accordingly? Even configuring an acl for gmail.com doesn't work. It seems like even though I am punching https://gmail.com in my browser, Squid detects it as though I am typing "https://mail.google.com"; in my browser and is ignoring any ACLs I have setup specifically for "gmail.com". I can't be the only one with this issue? I've also attempted to do: acl bl1 gmail.com moz.com always_direct allow bl1 <- from what I understand this bypasses squid and tells my browser to get the cert right from the site. Maybe I am wrong. But certificates still come from Squid, so I don't see any effect from that line. Here's my config, lots of garbage in there since I have been trying everything i can think of to get this working. I want to add that for my acl called BL1, the only one that works is moz.com . They are part of the same ACL line, so if one works, they should all work. Except they do not. Thanks in advance. cat /etc/squid/squid.conf ~~ debug_options ALL,9 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump bump step2 all ssl_bump bump step3 all acl bl1 dstdomain gmail.com mail.google.com accounts.google.com moz.com #acl bl1 url_regex -i ^http(s)?://gmail.com #acl bl2 url_regex -i ^http(s)?://([a-zA-Z]+).gmail.com.* #acl bl3 url_regex -i ^http(s)?://moz.com.* #acl bl4 url_regex -i moz.com deny_info http://ask.com bl1 # I was testing redirecting stuff, but since the acl is not even picked up, this stuff is useless. http_reply_access deny bl1 # useless #http_access deny bl1 #http_access deny bl1 CONNECT http_access allow localnet http_access allow localhost http_access allow all http_port 3128 accel vhost allow-direct #https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem options=NO_SSLv3 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_options NO_SSLv2 sslproxy_options NO_SSLv3 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 #cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Mike ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
