Re: [slack-users] squid com https

Thu, 31 May 2012 11:30:41 -0700

O squid.conf do Endian é customizado, e bem reduzido com relação ao squid que você instala e configura por linha de comando. Se voce quiser eu te envio sim, mas existe uma chance gigantesca do seu squid ir pro beleleu ou perder um monte de funcionalidade se você usar o meu arquivo. 

Em 31-05-2012 14:08, Alisson Ceolin escreveu:

 é autenticado tb.   os browsers apontam para o squid.

vc ainda tem o arquivo de configuração?  poderia repassar?

obrigado!


Alisson Ceolin

------------------------------------------------------------------------
*De:* Renato Alves - Gmail <[email protected]>
*Para:* [email protected]
*Enviadas:* Quinta-feira, 31 de Maio de 2012 13:19
*Assunto:* Re: [slack-users] squid com https
Eu utilizo o squid no endian firewall. Bloqueava o HTTP do facebook sem problemas, mas HTTPS só depois que eu converti o squid de transparente para autenticado. Foi na hora! O seu é transparente? 

Em 31-05-2012 11:56, Alisson Ceolin escreveu:

ola pessoal
estou fazendo testes com bloqueios https no squid. confesso que estou achando documentação muito confusa.. e também muita polêmica. meu maior problema é o facebook hj.. tenho regras de bloqueios http (grupos ldap) e gostaria de poder filtrar tb os https.
alguém utiliza squid com bloqueios https? poderia me passar alguma instrução? 

eu ja compilei o squid com --enable-ssl
e adicionei este conteúdo ao squid.conf
https_port 3126 protocol=http cert=/etc/squid/ssl2/server_cert.pem key=/etc/squid/ssl2/server_key.pem 
.
.
acl SSL method CONNECT
never_direct allow SSL
.


log de inicializacao do squid,, e tentativa de acesso a um site https
2012/05/31 10:54:04| Starting Squid Cache version 2.7.STABLE9 for i386-debian-linux-gnu... 
2012/05/31 10:54:04| Process ID 3337
2012/05/31 10:54:04| With 32768 file descriptors available
2012/05/31 10:54:04| Using epoll for the IO loop
2012/05/31 10:54:04| Performing DNS Tests...
2012/05/31 10:54:04| Successful DNS name lookup tests...
2012/05/31 10:54:04| DNS Socket created at 0.0.0.0, port 60995, FD 6
2012/05/31 10:54:04| Adding nameserver 127.0.0.1 from squid.conf
2012/05/31 10:54:04| Adding nameserver 10.12.0.2 from squid.conf
2012/05/31 10:54:04| Adding nameserver 10.12.0.22 from squid.conf
2012/05/31 10:54:04| helperOpenServers: Starting 10 'ldap_auth' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes 
2012/05/31 10:54:04| User-Agent logging is disabled.
2012/05/31 10:54:04| Referer logging is disabled.
2012/05/31 10:54:04| logfileOpen: opening log /var/log/squid/ppol-test-access.log 
2012/05/31 10:54:04| Unlinkd pipe opened on FD 71
2012/05/31 10:54:04| Swap maxSize 2048000 + 512000 KB, estimated 196923 objects 
2012/05/31 10:54:04| Target number of buckets: 9846
2012/05/31 10:54:04| Using 16384 Store buckets
2012/05/31 10:54:04| Max Mem  size: 512000 KB
2012/05/31 10:54:04| Max Swap size: 2048000 KB
2012/05/31 10:54:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 
2012/05/31 10:54:04| Store logging disabled
2012/05/31 10:54:04| Rebuilding storage in /var/spool/squid/ppol-test (DIRTY) 
2012/05/31 10:54:04| Using Least Load store dir selection
2012/05/31 10:54:04| Set Current Directory to /var/cache/squid
2012/05/31 10:54:04| Loaded Icons.
2012/05/31 10:54:04| Accepting proxy HTTP connections at 0.0.0.0, port 3125, FD 73. 2012/05/31 10:54:04| Accepting HTTPS connections at 0.0.0.0, port 3126, FD 74. 
2012/05/31 10:54:04| Accepting ICP messages at 0.0.0.0, port 3130, FD 75.
2012/05/31 10:54:04| HTCP Disabled.
2012/05/31 10:54:04| WCCP Disabled.
2012/05/31 10:54:04| Ready to serve requests.
2012/05/31 10:54:04| Done reading /var/spool/squid/ppol-test swaplog (40 entries) 
2012/05/31 10:54:04| Finished rebuilding storage from disk.
2012/05/31 10:54:04|        40 Entries scanned
2012/05/31 10:54:04|         0 Invalid entries.
2012/05/31 10:54:04|         0 With invalid flags.
2012/05/31 10:54:04|        40 Objects loaded.
2012/05/31 10:54:04|         0 Objects expired.
2012/05/31 10:54:04|         0 Objects cancelled.
2012/05/31 10:54:04|         0 Duplicate URLs purged.
2012/05/31 10:54:04|         0 Swapfile clashes avoided.
2012/05/31 10:54:04|   Took 0.3 seconds ( 154.6 objects/sec).
2012/05/31 10:54:04| Beginning Validation Procedure
2012/05/31 10:54:04|   Completed Validation Procedure
2012/05/31 10:54:04|   Validated 40 Entries
2012/05/31 10:54:04|   store_swap_size = 796k
2012/05/31 10:54:05| storeLateRelease: released 0 objects
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1) 
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
o certificado foi auto gerado ( openssl req -new -x509 -nodes -keyout server_key.pem -out server_cert.pem ) nao possuo unidade certificadora oficial.. não sei se seria este o motivo do erro, ou outra coisa. teria algum modo de me auxiliar, obrigado. 


alguém tem um cenário similar?

Alisson Ceolin


--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br

Antes de perguntar:
http://www.istf.com.br/perguntas/

Para sair da lista envie um e-mail para:
[email protected] <mailto:[email protected]> 
--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br

Antes de perguntar:
http://www.istf.com.br/perguntas/

Para sair da lista envie um e-mail para:
[email protected]


--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br

Antes de perguntar:
http://www.istf.com.br/perguntas/

Para sair da lista envie um e-mail para:
[email protected] 

--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br

Antes de perguntar:
http://www.istf.com.br/perguntas/

Para sair da lista envie um e-mail para:
[email protected]

Responder a