X-Mail-List: ufdbGuard Thank you Marcus, That option didn't do what I thought, even after checking the documentation.. Kind regards,
Vincent On Tue, 15 Nov 2016, Marcus Kool wrote: > X-Mail-List: ufdbGuard > Hi Vincent, > > Just set > check-proxy-tunnels off > to disable ufdbGuard probing of HTTPS connections. > > Best regards, > > Marcus > > > Quoting [email protected]: > >> X-Mail-List: ufdbGuard >> >> Hi everyone, >> >> I run squid+ufdbguard with freely available blacklists in my home to >> filter out pages on all devices (I don't want my kids to see 18+ ads, it's >> happened before). >> >> In my environment, only the squid (v 3.5.21) user on the proxy can reach >> out on the internet on ports 80 and 443 (http and https). >> >> Recently, I've begun noticing these things in my logs: >> >> 2016-11-15 15:28:59 [27636] ERROR: cannot connect to >> graph.facebook.com/31.13.71.1 port 443: Connection timed out >> 2016-11-15 15:28:59 [27636] ERROR: cannot connect to >> graph.facebook.com/2a03:2880:f012:1:face:b00c:0:1 port 443: Network >> is unreachable >> 2016-11-15 15:28:59 [27636] HTTPS protocol verification for >> graph.facebook.com:443 FAILED: cannot open communication socket >> [..] >> 2016-11-15 15:29:55 [27636] ERROR: cannot connect to >> gs-loc.apple.com/17.134.127.250 port 443: Connection timed out >> 2016-11-15 15:30:00 [27636] ERROR: cannot connect to >> gs-loc.apple.com/17.134.127.79 port 443: Connection timed out >> 2016-11-15 15:30:05 [27636] ERROR: cannot connect to >> gs-loc.apple.com/17.134.127.97 port 443: Connection timed out >> 2016-11-15 15:30:10 [27636] ERROR: cannot connect to >> gs-loc.apple.com/17.134.127.249 port 443: Connection timed out >> 2016-11-15 15:30:10 [27636] HTTPS protocol verification for >> gs-loc.apple.com:443 FAILED: cannot open communication socket >> >> I traced these back to the ufdb user attempting to verify certificates by >> reaching out on the internet directly (port 443). >> >> Is it possible to disable that feature and let the endpoint verify the >> certificate separately? I don't have anything related to certificates in >> ufdbguard.conf so I am a bit lost as to wonder why it's attempting to do >> certificate verification. >> >> I'm using ufdbGuard-1.32.3 on el6 and there's nothing in the conf file I >> am using: >> >> # grep -i cert /etc/ufdbguard/ufdbGuard.conf >> # >> >> And here the settings (as reported in the log file after startup) >> logpass on >> logblock on >> logall on >> upload-crash-reports on >> lookup-reverse-ip off >> use-ipv6-on-wan on >> num-worker-threads 68 >> squid-version "3.5" >> squid-uses-active-bumping off >> redirect-https "blockedhttps.urlfilterdb.com:443" # NO bumping >> (may splice) >> redirect-bumped-https >> "https://blockedhttps.urlfilterdb.com/cgi-bin/URLblocked.cgi?clientgroup=%s&category=%t&url=%u"; >> # active bumping >> youtube-edufilter off >> youtube-edufilter-id "ABCD1234567890abcdef" >> ufdb-debug-filter off >> ufdb-expression-optimisation on >> ufdb-expression-debug off >> ufdb-debug-external-scripts off >> ufdb-debug-skype-probes off >> ufdb-debug-gtalk-probes off >> ufdb-debug-yahoomsg-probes off >> ufdb-debug-aim-probes off >> ufdb-debug-fb-chat-probes off >> ufdb-debug-citrixonline-probes off >> refreshuserlist 15 >> refreshdomainlist 15 >> max-logfile-size 200000000 >> analyse-uncategorised-urls off # this is NOT recommended >> log-uncategorised-urls off >> check-proxy-tunnels log-only >> safe-search on >> # no http-server defined >> url-lookup-delay-during-database-reload off >> url-lookup-result-during-database-reload deny >> redirect-loading-database >> "http://cgibin.urlfilterdb.com/cgi-bin/URLblocked.cgi?category=loading-database"; >> url-lookup-result-when-fatal-error deny >> >> Any ideas? >> >> Thanks for reading, >> >> Vincent >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> ufdbGuard-support mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support > > > > ------------------------------------------------------------------------------ > _______________________________________________ > ufdbGuard-support mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ufdbguard-support > ------------------------------------------------------------------------------ _______________________________________________ ufdbGuard-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
