X-Mail-List: ufdbGuard Hi everyone,
I run squid+ufdbguard with freely available blacklists in my home to filter out pages on all devices (I don't want my kids to see 18+ ads, it's happened before). In my environment, only the squid (v 3.5.21) user on the proxy can reach out on the internet on ports 80 and 443 (http and https). Recently, I've begun noticing these things in my logs: 2016-11-15 15:28:59 [27636] ERROR: cannot connect to graph.facebook.com/31.13.71.1 port 443: Connection timed out 2016-11-15 15:28:59 [27636] ERROR: cannot connect to graph.facebook.com/2a03:2880:f012:1:face:b00c:0:1 port 443: Network is unreachable 2016-11-15 15:28:59 [27636] HTTPS protocol verification for graph.facebook.com:443 FAILED: cannot open communication socket [..] 2016-11-15 15:29:55 [27636] ERROR: cannot connect to gs-loc.apple.com/17.134.127.250 port 443: Connection timed out 2016-11-15 15:30:00 [27636] ERROR: cannot connect to gs-loc.apple.com/17.134.127.79 port 443: Connection timed out 2016-11-15 15:30:05 [27636] ERROR: cannot connect to gs-loc.apple.com/17.134.127.97 port 443: Connection timed out 2016-11-15 15:30:10 [27636] ERROR: cannot connect to gs-loc.apple.com/17.134.127.249 port 443: Connection timed out 2016-11-15 15:30:10 [27636] HTTPS protocol verification for gs-loc.apple.com:443 FAILED: cannot open communication socket I traced these back to the ufdb user attempting to verify certificates by reaching out on the internet directly (port 443). Is it possible to disable that feature and let the endpoint verify the certificate separately? I don't have anything related to certificates in ufdbguard.conf so I am a bit lost as to wonder why it's attempting to do certificate verification. I'm using ufdbGuard-1.32.3 on el6 and there's nothing in the conf file I am using: # grep -i cert /etc/ufdbguard/ufdbGuard.conf # And here the settings (as reported in the log file after startup) logpass on logblock on logall on upload-crash-reports on lookup-reverse-ip off use-ipv6-on-wan on num-worker-threads 68 squid-version "3.5" squid-uses-active-bumping off redirect-https "blockedhttps.urlfilterdb.com:443" # NO bumping (may splice) redirect-bumped-https "https://blockedhttps.urlfilterdb.com/cgi-bin/URLblocked.cgi?clientgroup=%s&category=%t&url=%u"; # active bumping youtube-edufilter off youtube-edufilter-id "ABCD1234567890abcdef" ufdb-debug-filter off ufdb-expression-optimisation on ufdb-expression-debug off ufdb-debug-external-scripts off ufdb-debug-skype-probes off ufdb-debug-gtalk-probes off ufdb-debug-yahoomsg-probes off ufdb-debug-aim-probes off ufdb-debug-fb-chat-probes off ufdb-debug-citrixonline-probes off refreshuserlist 15 refreshdomainlist 15 max-logfile-size 200000000 analyse-uncategorised-urls off # this is NOT recommended log-uncategorised-urls off check-proxy-tunnels log-only safe-search on # no http-server defined url-lookup-delay-during-database-reload off url-lookup-result-during-database-reload deny redirect-loading-database "http://cgibin.urlfilterdb.com/cgi-bin/URLblocked.cgi?category=loading-database"; url-lookup-result-when-fatal-error deny Any ideas? Thanks for reading, Vincent ------------------------------------------------------------------------------ _______________________________________________ ufdbGuard-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
