Scenario : I want to block certain HTTPS website using SSL Bump and without installing any SSL Certificate on Clients End as I will be distributing this Same Network for Mobile Devices so I don't want to keep installing certificate in each Mobile Device like Android / IOS / Windows etc phones .......
*I have installed Squid 3.5.13 and we have Broadband Connection with speed 50 Mb/sec. I have gone through lots of document where I found that we can Block Https Traffic without installing Certificate by enabling Peek & Splice feature.* ------------------- Below is the Configuration file of Squid --------------------------------------- # ------------------------------------- # Access Control Lists # ------------------------------------- acl localnet src 192.168.0.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl SSL_ports port 8443 # Telecom exclusion acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # Common methods acl CONNECT method CONNECT acl PURGE method PURGE acl GET method GET # Windows update acls acl windowsupdate dstdomain sls.update.microsoft.com.akadns.net acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com # Windows update methods acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com # SSL bump acl acl net_bump src "/etc/squid/net.bump" # TLD acl acl block_tld dstdomain "/etc/squid/dstdom.tld" # ------------------------------------- # Access parameters # ------------------------------------- # Deny requests to unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access deny to_localhost # Allow purge from localhost http_access allow PURGE localhost http_access deny PURGE # Normalize Accept-Encoding to support compression via eCAP request_header_access Accept-Encoding deny all request_header_replace Accept-Encoding gzip;q=1.0, identity;q=0.5, *;q=0 # Disable alternate protocols request_header_access Alternate-Protocol deny all reply_header_access Alternate-Protocol deny all # Disable HSTS reply_header_access Strict-Transport-Security deny all reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains # Remove User-Agent from Vary reply_header_access Vary deny all reply_header_replace Vary Accept-Encoding # Workaround 4253 request_header_access Surrogate-Capability deny all # Block top level domains http_access deny block_tld deny_info TCP_RESET block_tld # Rule allowing access from local networks http_access allow localnet http_access allow localhost # ICP/HTCP access icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all # 302 loop acl text_mime rep_mime_type text/html text/plain acl http302 http_status 302 store_miss deny text_mime http302 send_hit deny text_mime http302 # Windows updates rules http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate localnet http_access allow windowsupdate localhost # SSL bump rules acl DiscoverSNIHost at_step SslBump1 # ICQ/MRA must splice first acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump" ssl_bump splice NoSSLIntercept ssl_bump bump net_bump #ssl_bump terminate deny_https_sites #ssl_bump peek all acl tls_s3_server_hello at_step SslBump3 # TLS/SSL bumping steps ssl_bump peek tls_s1_connect all # peek at the incoming TLS/SSL connect data ssl_bump splice all # splice the stream: pass-through mode # And finally deny all other access to this proxy http_access deny all # ------------------------------------- # HTTP parameters # ------------------------------------- # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 deny all # Don't cache 404 long time negative_ttl 5 minutes positive_dns_ttl 15 hours negative_dns_ttl 1 minutes # ------------------------------------- # Cache parameters # ------------------------------------- # dhparams is before squid-3.5.12-20151222-r13967 # tls-dh is AFTER squid-3.5.12-20151222-r13967 #http_port 3126 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key options=NO_SSLv3 tls-dh=/etc/squid/dhparam.pem http_port 3127 http_port 3128 intercept # dhparams is before squid-3.5.12-20151222-r13967 # tls-dh is AFTER squid-3.5.12-20151222-r13967 https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key options=NO_SSLv3 tls-dh=/etc/squid/dhparam.pem sslproxy_capath /etc/ssl/certs # SINGLE_DH_USE is 3.5 before squid-3.5.12-20151222-r13967 #sslproxy_options NO_SSLv3,SINGLE_DH_USE # SINGLE_ECDH_USE is AFTER squid-3.5.12-20151222-r13967 sslproxy_options NO_SSLv3,SINGLE_ECDH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB # Specify ICP/HTCP explicity icp_port 3130 htcp_port 4827 # Cache manager cache_mgr mym...@gmail.com # Forces reload-into-ims reload_into_ims on # Hide internal networks details outside via off forwarded_for delete # Do not show Squid version httpd_suppress_version_string on # Prioritization of local hits qos_flows tos local-hit=0x68 # Specify local DNS cache dns_nameservers 8.8.8.8 dns_v4_first on ipcache_size 4096 # ------------------------------------- # Memory parameters # ------------------------------------- cache_mem 512 Mb #memory_pools off maximum_object_size_in_memory 1 MB # ------------------------------------- # Tuning parameters # ------------------------------------- memory_replacement_policy heap LRU cache_replacement_policy heap LFUDA store_avg_object_size 85 KB # Default is 20 store_objects_per_bucket 32 # Shutdown delay before terminate connections shutdown_lifetime 15 second # SMP #workers 2 # ------------------------------------- # Store parameters # ------------------------------------- maximum_object_size 8 Gb cache_dir aufs /usr/local/cache 250000 16 256 # ------------------------------------- # Process/log parameters # ------------------------------------- #logformat my_squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt #access_log daemon:/data/cache/log/access.log buffer-size=256KB access_log daemon:/var/log/squid/access.log buffer-size=256KB # Don't log ICP queries log_icp_queries off # Turn off internal log rotation logfile_rotate 0 cache_log /var/log/squid/cache.log #cache_log /data/cache/log/cache${process_number}.log cache_store_log none # Default is off buffered_logs on coredump_dir /var/core pid_filename /tmp/squid.pid strip_query_terms off # ------------------------------------- # Content parameters # ------------------------------------- #range_offset_limit none store_rewrite_list #range_offset_limit none store_rewrite_list_web #range_offset_limit none store_rewrite_list_web_cdn #range_offset_limit none adobe_java_updates #range_offset_limit none windowsupdate range_offset_limit none all # Updates: Windows, Adobe, Java refresh_pattern -i microsoft.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i my.windowsupdate.website.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i adobe.com.*\.(zip|exe) 4320 80% 43200 reload-into-ims refresh_pattern -i java.com.*\.(zip|exe) 4320 80% 43200 reload-into-ims refresh_pattern -i sun.com.*\.(zip|exe) 4320 80% 43200 reload-into-ims refresh_pattern -i google\.com.*\.(zip|exe) 4320 80% 43200 reload-into-ims refresh_pattern -i macromedia\.com.*\.(zip|exe) 4320 80% 43200 reload-into-ims # Other setups and updates refresh_pattern -i \.(zip|(g|b)z2?|exe|msi|cvd)$ 4320 80% 43200 reload-into-ims # Cacle squidinternal refresh_pattern -i video-srv\.youtube\.squidinternal 0 0% 0 refresh_pattern -i squidinternal 14400 100% 518400 override-expire override-lastmod refresh-ims reload-into-ims ignore-private ignore-auth ignore-must-revalidate store-stale ignore-no-store # Keep swf in cache refresh_pattern -i \.swf$ 10080 100% 43200 override-expire reload-into-ims ignore-private # .NET cache refresh_pattern -i \.((a|m)s(h|p)x?)$ 10080 100% 43200 reload-into-ims ignore-private # Other long-lived items refresh_pattern -i \.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))(\?.*)?$ 14400 100% 518400 override-expire override-lastmod reload-into-ims ignore-private ignore-no-store ignore-must-revalidate refresh_pattern -i \.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$ 10080 100% 86400 override-expire override-lastmod reload-into-ims ignore-private ignore-no-store ignore-must-revalidate # Default patterns refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 reload-into-ims ------------------------- Squid Configuration End ---------------------------------------------- When we give Network Connection Dirtectly through the Router then Internet is working fine but when we pass the Network through Squid the Internet work very slow ....... ---------------- IPTables --------------------- Chain PREROUTING (policy ACCEPT 25461 packets, 3444K bytes) pkts bytes target prot opt in out source destination 996 55869 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.200:3128 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 3597 211K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.0.200:3129 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129 Chain INPUT (policy ACCEPT 11351 packets, 1166K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2490 packets, 154K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2490 packets, 154K bytes) pkts bytes target prot opt in out source destination 10029 1452K MASQUERADE all -- * eth0 192.168.0.0/24 0.0.0.0/0 --------------------------------------------------------------------------------------------------------------------------------- Access Logs: 1463478680.312 33025 192.168.0.66 TCP_TUNNEL/200 3865 CONNECT 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 - 1463478680.317 27194 192.168.0.66 TCP_TUNNEL/200 641 CONNECT 216.58.220.4:443 - ORIGINAL_DST/216.58.220.4 - 1463478680.318 27195 192.168.0.66 TCP_TUNNEL/200 872 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463478680.323 27096 192.168.0.66 TCP_TUNNEL/200 823 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463478680.376 27266 192.168.0.66 TCP_TUNNEL/200 1912 CONNECT 74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 - 1463478680.528 5110 192.168.0.66 TCP_TUNNEL/200 17448 CONNECT 125.99.55.72:443 - ORIGINAL_DST/125.99.55.72 - 1463478680.528 4772 192.168.0.66 TCP_TUNNEL/200 1358 CONNECT 95.101.34.18:443 - ORIGINAL_DST/95.101.34.18 - 1463478680.528 3707 192.168.0.66 TCP_TUNNEL/200 1172 CONNECT 31.13.79.246:443 - ORIGINAL_DST/31.13.79.246 - 1463478680.528 5178 192.168.0.66 TCP_TUNNEL/200 44054 CONNECT 184.86.250.32:443 - ORIGINAL_DST/184.86.250.32 - 1463478680.528 29346 192.168.0.66 TCP_TUNNEL/200 439 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463478680.556 9869 192.168.0.66 TCP_TUNNEL/200 58963 CONNECT 216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 - 1463478680.556 31783 192.168.0.66 TCP_TUNNEL/200 1073 CONNECT 216.58.220.4:443 - ORIGINAL_DST/216.58.220.4 - 1463478680.584 6543 192.168.0.66 TCP_TUNNEL/200 193204 CONNECT 31.13.79.220:443 - ORIGINAL_DST/31.13.79.220 - 1463478680.702 223 192.168.0.66 TCP_TUNNEL/200 206 CONNECT 31.13.79.220:443 - ORIGINAL_DST/31.13.79.220 - 1463478681.710 1216 192.168.0.66 TCP_TUNNEL/200 587 CONNECT 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 - 1463478681.775 1369 192.168.0.66 TCP_TUNNEL/200 587 CONNECT 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 - 1463478685.128 37 192.168.0.66 TCP_TUNNEL/200 267 CONNECT 125.99.55.75:443 - ORIGINAL_DST/125.99.55.75 - 1463478686.862 40 192.168.0.66 TCP_REFRESH_MODIFIED/200 539 GET http://kerastasesalonlocator.com/ - ORIGINAL_DST/103.21.58.154 text/html 1463478686.880 5 192.168.0.66 TCP_MISS_ABORTED/000 0 GET http://kerastasesalonlocator.com/cgi-sys/defaultwebpage.cgi - ORIGINAL_DST/ 103.21.58.154 - ----------------------------------------------------------------------------------------------------------------------------------------- We have installed Squid on Ubuntu Server 14.04 Ram: 32 GB HDD: 1TB *Also I am not getting full URL for HTTPS Traffic in Access Logs ........* We have tried to implement Caching DNS Server (Local) but still it didn't work then we have given the Google Public DNS ....... Could you please let us know where we are doing mistake ....... Regards Sagar Malve
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users