On Sat, 2015-04-25 at 14:25 +1200, Amos Jeffries wrote: > On 25/04/2015 12:50 a.m., James Lay wrote: > > Hey all. > > > > Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to > > see if there's anything glaring that I'm missing/have misconfigured. My > > setup is squid is running on a router, one nic external, one nic > > internal. This is running as a transparent proxy with iptables doing a > > redirect to ports 3128 and 3129. Config below: > > > > ############################################################# > > acl localnet src 192.168.1.0/24 > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 443 # https > > > > acl CONNECT method CONNECT > > acl broken_sites dst 96.16.0.0/15 > > <others redacted> > > acl broken_sites dst 54.160.0.0/12 > > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > > acl all_others dst all > > Using "dst all" is very inefficient. It requires Squid to perform DNS > lookups just to answer "yes". Unless there is some unusual reason > requiring that you might as well use the provided "all" ACL for faster > operation. > > > > acl SSL method CONNECT > > This is a bit dangerous. CONNECT does not necessarily mean SSL - even > with the port 443 restriction. CONNECT could as easily contain a tunnel > to email server and be pumping spam, or literally any other type of > traffic to any other server. Spam emails, FTP, BitTorrent, and Skype are > pretty popular protocols seen with CONNECT. > > So you can easily mistake security rules about SSL and create allow > policies that make you vulnerable to some nasty attacks. > > Its also a redundant ACL definition with the default CONNECT ACL earlier. > > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access allow manager localhost > > http_access deny manager > > > > http_access allow allowed_sites > > http_access allow broken_sites > > > > http_access deny all_others > > The above being equivalent to "deny all" makes the below rules not do > anything. I dont know yoru policy, maybe you did. > > Consider whether that is what you expected/wanted to happen. > > > > http_access allow localnet > > http_access allow localhost > > > > http_access deny all > > icp_access deny all > > > > > > sslproxy_cert_error allow broken_sites > > sslproxy_cert_error deny all > > > > sslproxy_options ALL > > acl p3129 myportname 3129 > > This name "3129" does not match any listening port name. See below... > > > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > #ssl_bump splice broken_sites > > ssl_bump bump p3129 > > > > > > http_port 192.168.1.253:3128 intercept > > ... in the absence of a name= parameter the default name for tis port is > "192.168.1.253:3128". > > > https_port 192.168.1.253:3129 intercept ssl-bump > > cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key > > cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on > > dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE > > ... in the absence of a name= parameter the default name for tis port is > "192.168.1.253:3129". > > Do you see the pattern? > set the name= parameter eplicitly or it becomes teh *string* value of > the host:port field. > > > > > > always_direct allow all > > Has no use in your config. > > > > > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:% > > Sh %ssl::>cert_subject > > Bad: do not re-define built in format definitions please. > > Either use the provided format, or use a different name if you need the > custom one. > > > > > access_log syslog:daemon.info common > > > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (cgi-bin|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > icp_port 3130 > > You are initializing ICP port, but also configured "icp_access deny all". > > To disble ICP leave remove the icp_* directives from your config. > > To enable ICP, configure the icp_access to allow some sources to make > queries. > > > > > coredump_dir /opt/var > > ############################################################# > > > > My goal has been to at least get the domain logged on any https access, > > but alas some sites show: > > > > Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - - > > [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200 > > 401 TCP_TUNNEL:ORIGINAL_DST - > > > > With interception + your custom rule using %ru you should always see > raw-IP:port. If you see a TLS SNI domain in there *that* is a bug. "%ru" > is explicitly asking for the client-presented CONNECT *URL*, not the > server details. > > > That "TCP_TUNNEL" will always happen whenever the protocol found on port > 443 is not HTTPS. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
Thank you Amos...that's extremely helpful. James
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
