Re: [squid-users] error: #error .... is not 32-bit or 64-bit
On Mon, 2014-09-01 at 18:51 +0530, Santosh Bhabal wrote: > Yes :) > > Regards > Santosh > > > > On Mon, Sep 1, 2014 at 6:50 PM, Antony Stone > wrote: > > On Monday 01 September 2014 at 15:17:58 (EU time), Santosh Bhabal wrote: > > > >> Yes, './configure --prefix=/usr/local/squid' command successfully > >> completed. Facing issue with 'make all' command. > > > > Have you successfully compiled other software on this machine? > > > > > > Antony > > > > -- > > If you were ploughing a field, which would you rather use - two strong oxen > > or > > 1024 chickens? > > > > - Seymour Cray, pioneer of supercomputing > > > >Please reply to the list; > > please *don't* CC > > me. Do a: file 'which squid` and ldd `which squid` and ls -l --full `which squid` Just to see what we're looking at here... James
Re: [squid-users] Host header forgery policy
On Mon, 2014-07-14 at 19:23 +0100, Edwin Marqe wrote: > Hi Eliezer, > > I understand that, but this is pretty much the point of my e-mail. In > my company we don't work with servers installed physically here, > instead, we rent servers to a company. We use 2 nameservers for our > clients, and the IT company uses others and additionally they don't > allow to change them and they're restricted to their net... So I don't > know what else can I do. > > We don't have a specific configuration for the google.com DNS entry, > so I don't really know why Squid says it's pointing to a local > address. The address appearing in the log is the local address of the > client making the request. There's no other redirection nor complex > iptables rules for this. Any idea? > > Thanks Per docs: http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery James
Re: [squid-users] transparent https interception without mitm
> > Alex. > > Ok last questionwho do I get compile bugs to: > > make[3]: Entering directory > `/home/jlay/peek-splice/peek-and-splice/src/acl' > /bin/bash ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H > -I../.. -I../../include -I../../lib -I../../src -I../../include > -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror > -pipe -D_REENTRANT -m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g > -O2 -march=native -MT AtBumpStep.lo -MD -MP -MF .deps/AtBumpStep.Tpo > -c -o AtBumpStep.lo AtBumpStep.cc > libtool: compile: g++ -DHAVE_CONFIG_H -I../.. -I../../include > -I../../lib -I../../src -I../../include -Wall -Wpointer-arith > -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -m32 > -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -g -O2 -march=native -MT > AtBumpStep.lo -MD -MP -MF .deps/AtBumpStep.Tpo -c AtBumpStep.cc -fPIC > -DPIC -o .libs/AtBumpStep.o > In file included from ../../src/ssl/support.h:37:0, > from ../../src/acl/AtBumpStep.h:5, > from AtBumpStep.cc:3: > ../../src/ssl/gadgets.h:92:1: error: variable or field > 'TXT_DB_free_cpp' declared void > ../../src/ssl/gadgets.h:92:1: error: 'TXT_DB' was not declared in this > scope > ../../src/ssl/gadgets.h:92:1: error: 'a' was not declared in this > scope > ../../src/ssl/gadgets.h:93:21: error: 'TXT_DB' was not declared in > this scope > ../../src/ssl/gadgets.h:93:29: error: 'TXT_DB_free_cpp' was not > declared in this scope > ../../src/ssl/gadgets.h:93:44: error: template argument 1 is invalid > ../../src/ssl/gadgets.h:93:44: error: template argument 2 is invalid > ../../src/ssl/gadgets.h:93:60: error: invalid type in declaration > before ';' token > AtBumpStep.cc: In member function 'virtual int > ACLAtStepStrategy::match(ACLData*&, > ACLFilledChecklist*, ACLFlags&)': > AtBumpStep.cc:13:65: error: 'class ConnStateData' has no member named > 'serverBump' > make[3]: *** [AtBumpStep.lo] Error 1 > make[3]: Leaving directory > `/home/jlay/peek-splice/peek-and-splice/src/acl' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory > `/home/jlay/peek-splice/peek-and-splice/src' > make[1]: *** [all] Error 2 > make[1]: Leaving directory > `/home/jlay/peek-splice/peek-and-splice/src' > make: *** [all-recursive] Error 1 > > Thanks again. > > James
Re: [squid-users] transparent https interception without mitm
On 2014-07-11 15:05, Alex Rousskov wrote: On 07/11/2014 10:18 AM, James Lay wrote: On 2014-07-11 10:14, Alex Rousskov wrote: On 07/11/2014 05:43 AM, James Harper wrote: Is it possible for squid to intercept and apply acl's to https without actually decrypting and generating certificates etc? The conversation would go something like: . Client makes connection to IP 1.2.3.4 . Squid intercepts the connection (but doesn't respond yet) . Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1] . Squid applies ACL rules to the hostname [2] . If the ACL results in a deny then the client connection is dropped [3] . If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the TCP connection [1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be taken into account [2] stream is encrypted, so obviously no access to URL etc [3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could be used to supply an "access denied" page? I believe the above is one of the use cases that SSL Peek and Splice project aims to address. Look for step2 "peek" and "terminate" actions specifically: http://wiki.squid-cache.org/Features/SslPeekAndSplice IIRC, both of those actions are supported in the experimental project branch, but we have not polished the changes for the official submission yet. https://code.launchpad.net/~measurement-factory/squid/peek-and-splice HTH, Alex. I'd like this as well...how do we get the branch? Thanks. See the URL above. You will need a bzr client to check the code out and development environment to bootstrap the sources and build Squid. Please note that this unofficial trunk-based feature branch is not supported by the Squid Project. Thank you, Alex. Thanks Alex...I'll give it a go. James
Re: [squid-users] transparent https interception without mitm
On 2014-07-11 10:14, Alex Rousskov wrote: On 07/11/2014 05:43 AM, James Harper wrote: Is it possible for squid to intercept and apply acl's to https without actually decrypting and generating certificates etc? The conversation would go something like: . Client makes connection to IP 1.2.3.4 . Squid intercepts the connection (but doesn't respond yet) . Squid connects to 1.2.3.4 to obtain the hostname (CN or other identifier) of the certificate [1] . Squid applies ACL rules to the hostname [2] . If the ACL results in a deny then the client connection is dropped [3] . If the ACL results in an allow then a new connection is made to the 1.2.3.4 and squid just blindly proxies the TCP connection [1] I believe certificates can be valid for multiple hostnames, and wildcards, so this would have to be taken into account [2] stream is encrypted, so obviously no access to URL etc [3] dropped, because there isn't much else you can do with it, although maybe at this point a fake cert could be used to supply an "access denied" page? I believe the above is one of the use cases that SSL Peek and Splice project aims to address. Look for step2 "peek" and "terminate" actions specifically: http://wiki.squid-cache.org/Features/SslPeekAndSplice IIRC, both of those actions are supported in the experimental project branch, but we have not polished the changes for the official submission yet. https://code.launchpad.net/~measurement-factory/squid/peek-and-splice HTH, Alex. I'd like this as well...how do we get the branch? Thanks. James
Re: [squid-users] SSL bump working on most site...cert pinning issue?
On 2014-06-30 20:21, James Lay wrote: On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote: Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular one that use pinning. As far as your broken_sites ACL goes, you can’t use `dstdomain` because the only thing Squid can see of the destination before bumping an intercepted connection is the IP address. So for `ssl_bump none` you’ll need to be use `dst` ACLs instead. ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. Good luck On 30 Jun 2014, at 10:38 pm, James Lay wrote: > Topic pretty much says it...most sites work fine using my below set up, > but some (Apple's app store) do not. I'm wondering if cert pinning is > the issue? Since this set up is basically two separate sessions, I > packet captured both. The side the I have control over gives me a TLS > Record Layer Alert Close Notify. I am unable to decrypt the other side > as the device in question is an iDevice and I can't capture the master > secret. > > I've even tried to ACL certain sites to not bump, but they don't go > through. Below is my complete setup. This is running the below: > > Squid Cache: Version 3.4.6 > configure options: '--prefix=/opt' '--enable-icap-client' > '--enable-ssl' '--enable-linux-netfilter' > '--enable-follow-x-forwarded-for' '--with-large-files' > '--sysconfdir=/opt/etc/squid' > > > Any assistance with troubleshooting would be wonderful...thank you. > > James > > > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > 80 -j REDIRECT --to-port 3128 > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > 443 -j REDIRECT --to-port 3129 > > > acl localnet src 192.168.1.0/24 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443# https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210# wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280# http-mgmt > acl Safe_ports port 488# gss-http > acl Safe_ports port 591# filemaker > acl Safe_ports port 777# multiling http > > acl CONNECT method CONNECT > acl broken_sites dstdomain textnow.me > acl broken_sites dstdomain akamaiedge.net > acl broken_sites dstdomain akamaihd.net > acl broken_sites dstdomain apple.com > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > acl all_others dst all > acl SSL method CONNECT > > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow manager localhost > http_access deny manager > > http_access allow allowed_sites > http_access deny all_others > http_access allow localnet > http_access allow localhost > > http_access deny all > icp_access deny all > > sslproxy_cert_error allow broken_sites > sslproxy_cert_error deny all > > sslproxy_options ALL > ssl_bump none broken_sites > ssl_bump server-first all > > http_port 192.168.1.253:3128 intercept > https_port 192.168.1.253:3129 intercept ssl-bump > generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt > key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE > > always_direct allow all > > > hierarchy_stoplist cgi-bin ? > > access_log syslog:daemon.info common > > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher: 14400% 1440 > refresh_pattern -i (cgi-bin|\?)0 0% 0 > refresh_pattern . 0 20% 4320 > > icp_port 3130 > > coredump_dir /opt/var > > So adding: acl broken_sites dst 23.0.0.0/12 now gives me the below: Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - - [30/Jun/2014:20:16:51 -0600] "CONNECT 23.204.162.217:443 HTTP/1.1" 403 3385 TCP_DENIED:HIER_NONE Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - - [30/Jun/2014:20:16:51 -0600] "NONE error:invalid-request HTTP/0.0" 400 3981 TAG_NONE:HIER_NONE So something is off. Any help on these beastie? Thank you. James Bah..had to add: http_access allow broken_sites Go me! Thank you. James
Re: [squid-users] SSL bump working on most site...cert pinning issue?
On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote: > Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular > one that use pinning. > > As far as your broken_sites ACL goes, you can’t use `dstdomain` because the > only thing Squid can see of the destination before bumping an intercepted > connection is the IP address. So for `ssl_bump none` you’ll need to be use > `dst` ACLs instead. > > ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst > equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. > > Good luck > > On 30 Jun 2014, at 10:38 pm, James Lay wrote: > > > Topic pretty much says it...most sites work fine using my below set up, > > but some (Apple's app store) do not. I'm wondering if cert pinning is > > the issue? Since this set up is basically two separate sessions, I > > packet captured both. The side the I have control over gives me a TLS > > Record Layer Alert Close Notify. I am unable to decrypt the other side > > as the device in question is an iDevice and I can't capture the master > > secret. > > > > I've even tried to ACL certain sites to not bump, but they don't go > > through. Below is my complete setup. This is running the below: > > > > Squid Cache: Version 3.4.6 > > configure options: '--prefix=/opt' '--enable-icap-client' > > '--enable-ssl' '--enable-linux-netfilter' > > '--enable-follow-x-forwarded-for' '--with-large-files' > > '--sysconfdir=/opt/etc/squid' > > > > > > Any assistance with troubleshooting would be wonderful...thank you. > > > > James > > > > > > > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > > 80 -j REDIRECT --to-port 3128 > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > > 443 -j REDIRECT --to-port 3129 > > > > > > acl localnet src 192.168.1.0/24 > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > > > acl CONNECT method CONNECT > > acl broken_sites dstdomain textnow.me > > acl broken_sites dstdomain akamaiedge.net > > acl broken_sites dstdomain akamaihd.net > > acl broken_sites dstdomain apple.com > > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > > acl all_others dst all > > acl SSL method CONNECT > > > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access allow manager localhost > > http_access deny manager > > > > http_access allow allowed_sites > > http_access deny all_others > > http_access allow localnet > > http_access allow localhost > > > > http_access deny all > > icp_access deny all > > > > sslproxy_cert_error allow broken_sites > > sslproxy_cert_error deny all > > > > sslproxy_options ALL > > ssl_bump none broken_sites > > ssl_bump server-first all > > > > http_port 192.168.1.253:3128 intercept > > https_port 192.168.1.253:3129 intercept ssl-bump > > generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt > > key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE > > > > always_direct allow all > > > > > > hierarchy_stoplist cgi-bin ? > > > > access_log syslog:daemon.info common > > > > refresh_pattern ^ftp: 144020% 10080 > > refresh_pattern ^gopher:14400% 1440 > > refresh_pattern -i (cgi-bin|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > icp_port 3130 > > > > coredump_dir /opt/var > > > > So adding: acl broken_sites dst 23.0.0.0/12 now gives me the below: Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - - [30/Jun/2014:20:16:51 -0600] "CONNECT 23.204.162.217:443 HTTP/1.1" 403 3385 TCP_DENIED:HIER_NONE Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - - [30/Jun/2014:20:16:51 -0600] "NONE error:invalid-request HTTP/0.0" 400 3981 TAG_NONE:HIER_NONE So something is off. Any help on these beastie? Thank you. James
Re: [squid-users] SSL bump working on most site...cert pinning issue?
On 2014-06-30 07:13, Dan Charlesworth wrote: No worries. Sounds like this is the feature you should be waiting with baited breath for: http://wiki.squid-cache.org/Features/SslPeekAndSplice I’m not a developer so I have no idea how far along that is right now. On 30 Jun 2014, at 11:05 pm, James Lay wrote: On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote: Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular one that use pinning. As far as your broken_sites ACL goes, you can’t use `dstdomain` because the only thing Squid can see of the destination before bumping an intercepted connection is the IP address. So for `ssl_bump none` you’ll need to be use `dst` ACLs instead. ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. Good luck On 30 Jun 2014, at 10:38 pm, James Lay wrote: Topic pretty much says it...most sites work fine using my below set up, but some (Apple's app store) do not. I'm wondering if cert pinning is the issue? Since this set up is basically two separate sessions, I packet captured both. The side the I have control over gives me a TLS Record Layer Alert Close Notify. I am unable to decrypt the other side as the device in question is an iDevice and I can't capture the master secret. I've even tried to ACL certain sites to not bump, but they don't go through. Below is my complete setup. This is running the below: Ah good catch thank you. I've seen expensive proxy appliances just tunnel the traffic through, but they get the host and domain name to all control...which is really all I'm wanting to do is control what sites are allowed. I'll give your suggestions a go...thank you. James Thanks Dan..looks like that's what I'll be watching for. James
[squid-users] Fwd: Squidblacklist.org - A better blacklist for Squid-ACL. Blacklisting Evolved.
Good morning List Troll! Please don't peddle your (subscription fee based no less...yugh) garbage off listor heck ON list for that matter. Squid-users admin, kindly nuke/destroy/delete/erase the below...thank you. James Original Message Subject: Squidblacklist.org - A better blacklist for Squid-ACL. Blacklisting Evolved. Date: 2014-06-30 07:35 From: "Benjamin E. Nichols" To: j...@slave-tothe-box.net Reply-To: webmas...@squidblacklist.org Do you leverage a web filter on your networks? If so, then you should know that there is room for a better blacklist, and we intend to fill that gap. It would be a pleasure to serve you. If you would like samples of our works, we will gladly email you some upon request. Signed, Benjamin E. Nichols http://www.squidblacklist.org
Re: [squid-users] SSL bump working on most site...cert pinning issue?
On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote: > Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular > one that use pinning. > > As far as your broken_sites ACL goes, you can’t use `dstdomain` because the > only thing Squid can see of the destination before bumping an intercepted > connection is the IP address. So for `ssl_bump none` you’ll need to be use > `dst` ACLs instead. > > ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst > equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. > > Good luck > > On 30 Jun 2014, at 10:38 pm, James Lay wrote: > > > Topic pretty much says it...most sites work fine using my below set up, > > but some (Apple's app store) do not. I'm wondering if cert pinning is > > the issue? Since this set up is basically two separate sessions, I > > packet captured both. The side the I have control over gives me a TLS > > Record Layer Alert Close Notify. I am unable to decrypt the other side > > as the device in question is an iDevice and I can't capture the master > > secret. > > > > I've even tried to ACL certain sites to not bump, but they don't go > > through. Below is my complete setup. This is running the below: > > > > Squid Cache: Version 3.4.6 > > configure options: '--prefix=/opt' '--enable-icap-client' > > '--enable-ssl' '--enable-linux-netfilter' > > '--enable-follow-x-forwarded-for' '--with-large-files' > > '--sysconfdir=/opt/etc/squid' > > > > > > Any assistance with troubleshooting would be wonderful...thank you. > > > > James > > > > > > > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > > 80 -j REDIRECT --to-port 3128 > > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport > > 443 -j REDIRECT --to-port 3129 > > > > > > acl localnet src 192.168.1.0/24 > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > > > acl CONNECT method CONNECT > > acl broken_sites dstdomain textnow.me > > acl broken_sites dstdomain akamaiedge.net > > acl broken_sites dstdomain akamaihd.net > > acl broken_sites dstdomain apple.com > > acl allowed_sites url_regex "/opt/etc/squid/url.txt" > > acl all_others dst all > > acl SSL method CONNECT > > > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > > > http_access allow manager localhost > > http_access deny manager > > > > http_access allow allowed_sites > > http_access deny all_others > > http_access allow localnet > > http_access allow localhost > > > > http_access deny all > > icp_access deny all > > > > sslproxy_cert_error allow broken_sites > > sslproxy_cert_error deny all > > > > sslproxy_options ALL > > ssl_bump none broken_sites > > ssl_bump server-first all > > > > http_port 192.168.1.253:3128 intercept > > https_port 192.168.1.253:3129 intercept ssl-bump > > generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt > > key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE > > > > always_direct allow all > > > > > > hierarchy_stoplist cgi-bin ? > > > > access_log syslog:daemon.info common > > > > refresh_pattern ^ftp: 144020% 10080 > > refresh_pattern ^gopher:14400% 1440 > > refresh_pattern -i (cgi-bin|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > > > icp_port 3130 > > > > coredump_dir /opt/var > > > > Ah good catch thank you. I've seen expensive proxy appliances just tunnel the traffic through, but they get the host and domain name to all control...which is really all I'm wanting to do is control what sites are allowed. I'll give your suggestions a go...thank you. James
[squid-users] SSL bump working on most site...cert pinning issue?
Topic pretty much says it...most sites work fine using my below set up, but some (Apple's app store) do not. I'm wondering if cert pinning is the issue? Since this set up is basically two separate sessions, I packet captured both. The side the I have control over gives me a TLS Record Layer Alert Close Notify. I am unable to decrypt the other side as the device in question is an iDevice and I can't capture the master secret. I've even tried to ACL certain sites to not bump, but they don't go through. Below is my complete setup. This is running the below: Squid Cache: Version 3.4.6 configure options: '--prefix=/opt' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--enable-follow-x-forwarded-for' '--with-large-files' '--sysconfdir=/opt/etc/squid' Any assistance with troubleshooting would be wonderful...thank you. James $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport 443 -j REDIRECT --to-port 3129 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl broken_sites dstdomain textnow.me acl broken_sites dstdomain akamaiedge.net acl broken_sites dstdomain akamaihd.net acl broken_sites dstdomain apple.com acl allowed_sites url_regex "/opt/etc/squid/url.txt" acl all_others dst all acl SSL method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager localhost http_access deny manager http_access allow allowed_sites http_access deny all_others http_access allow localnet http_access allow localhost http_access deny all icp_access deny all sslproxy_cert_error allow broken_sites sslproxy_cert_error deny all sslproxy_options ALL ssl_bump none broken_sites ssl_bump server-first all http_port 192.168.1.253:3128 intercept https_port 192.168.1.253:3129 intercept ssl-bump generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE always_direct allow all hierarchy_stoplist cgi-bin ? access_log syslog:daemon.info common refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /opt/var
Re: [squid-users] problem with filedescriptors after reboot
On 2014-06-20 09:10, ama...@tin.it wrote: I had configured /etc/security/limits.conf squid softnofile 16384 squid hardnofile 16384 rootsoftnofile 16384 roothardnofile 16384 but to resolve the problem I have to add into /et/init.d/squid #set fildedescriptor set -e ulimit -n 16384 thank Eliezer I've found that adding: * - nofile 16384 To limits.conf works as well. James
Re: [squid-users] [Fwd: ssl-bump and tunneling]
On Sat, 2014-04-26 at 21:38 +0300, Eliezer Croitoru wrote: > you can apply these rules only and only on CONNECT request which > explicitly use domain name at the request. > Intercepted requests will always use IP address acls. > So you will need either to use iptables rules to bypass for these > domains IPs or something else which is creative enough for it to work. > > Eliezer > > On 04/26/2014 06:29 PM, James Lay wrote: > > acl broken_sites dstdomain .textnow.me > > acl broken_sites dstdomain .akamaiedge.net > > acl broken_sites dstdomain .akamaihd.net > > acl broken_sites dstdomain .apple.com Well there it is then...I've done the iptables thing to bypass these for now...is there any way to see exactly why these aren't functioning through as Intercepted? In any case thanks for the response..that does help me. James signature.asc Description: This is a digitally signed message part
[squid-users] [Fwd: ssl-bump and tunneling]
From the docs: # none # Become a TCP tunnel without decoding the connection. # Works with both CONNECT requests and intercepted SSL # connections. This is the default behavior when no # ssl_bump option is given or no ssl_bump ACLs match. I have the below: acl broken_sites dstdomain .textnow.me acl broken_sites dstdomain .akamaiedge.net acl broken_sites dstdomain .akamaihd.net acl broken_sites dstdomain .apple.com sslproxy_cert_error allow broken_sites sslproxy_cert_error deny all sslproxy_options ALL ssl_bump none broken_sites ssl_bump server-first all The above sites however still will not function..packet captures show the below: 135 136 2014-04-26 09:10:41.040857 192.168.1.110 -> 209.59.180.54 TCP 74 44955 > 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=21160983 TSecr=0 WS=2 137 2014-04-26 09:10:41.040934 209.59.180.54 -> 192.168.1.110 TCP 74 443 > 44955 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=22194209 TSecr=21160983 WS=16 138 2014-04-26 09:10:41.043198 192.168.1.110 -> 209.59.180.54 TCP 66 44955 > 443 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=21160986 TSecr=22194209 139 2014-04-26 09:10:41.045514 192.168.1.110 -> 209.59.180.54 SSL 146 Client Hello 140 2014-04-26 09:10:41.045589 209.59.180.54 -> 192.168.1.110 TCP 66 443 > 44955 [ACK] Seq=1 Ack=81 Win=14480 Len=0 TSval=22194210 TSecr=21160986 141 2014-04-26 09:10:41.321754 209.59.180.54 -> 192.168.1.110 TLSv1 2962 Server Hello 142 2014-04-26 09:10:41.321804 209.59.180.54 -> 192.168.1.110 TLSv1 240 Certificate 143 2014-04-26 09:10:41.688021 192.168.1.110 -> 209.59.180.54 TCP 66 44955 > 443 [ACK] Seq=81 Ack=1449 Win=8736 Len=0 TSval=21161150 TSecr=22194279 144 2014-04-26 09:10:41.696392 192.168.1.110 -> 209.59.180.54 TCP 66 44955 > 443 [ACK] Seq=81 Ack=2897 Win=11632 Len=0 TSval=21161151 TSecr=22194279 145 2014-04-26 09:10:41.697215 192.168.1.110 -> 209.59.180.54 TCP 66 44955 > 443 [ACK] Seq=81 Ack=3071 Win=14528 Len=0 TSval=21161152 TSecr=22194279 146 2014-04-26 09:10:41.743603 192.168.1.110 -> 209.59.180.54 TLSv1 632 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 147 2014-04-26 09:10:41.743656 209.59.180.54 -> 192.168.1.110 TCP 66 443 > 44955 [ACK] Seq=3071 Ack=647 Win=15616 Len=0 TSval=22194385 TSecr=21161165 148 2014-04-26 09:10:41.744205 192.168.1.110 -> 209.59.180.54 TCP 66 44955 > 443 [FIN, ACK] Seq=647 Ack=3071 Win=14528 Len=0 TSval=21161165 TSecr=22194279 149 2014-04-26 09:10:41.781873 209.59.180.54 -> 192.168.1.110 TCP 66 443 > 44955 [ACK] Seq=3071 Ack=648 Win=15616 Len=0 TSval=22194395 TSecr=21161165 150 2014-04-26 09:10:41.844906 209.59.180.54 -> 192.168.1.110 TLSv1 109 Change Cipher Spec, Encrypted Handshake Message 151 2014-04-26 09:10:41.845076 209.59.180.54 -> 192.168.1.110 TLSv1 89 Encrypted Alert 152 2014-04-26 09:10:41.845196 209.59.180.54 -> 192.168.1.110 TCP 66 443 > 44955 [FIN, ACK] Seq=3137 Ack=648 Win=15616 Len=0 TSval=22194410 TSecr=21161165 153 2014-04-26 09:10:41.850790 192.168.1.110 -> 209.59.180.54 TCP 60 44955 > 443 [RST] Seq=648 Win=0 Len=0 154 2014-04-26 09:10:41.853153 192.168.1.110 -> 209.59.180.54 TCP 60 44955 > 443 [RST] Seq=648 Win=0 Len=0 155 2014-04-26 09:10:41.853748 192.168.1.110 -> 209.59.180.54 TCP 60 44955 > 443 [RST] Seq=648 Win=0 Len=0 This is on a linux machine with two interfaces acting as a router, one nic internal, the other external. Thanks for any assistance you can give. James PS..I find it hilarious that a mailing list about web proxy doesn't accept html formated emails :D ezmlm-reject: fatal: Sorry, a message part has an unacceptable MIME Content-Type: multipart/alternative (#5.2.3) Sorry, for security reasons this list only accepts plain text email and no large attachments. Please configure your mail client accordingly signature.asc Description: This is a digitally signed message part
[squid-users] generate-host-certficates
From the squid.conf.documented: # SSL Bump Mode Options: # In addition to these options ssl-bump requires TLS/SSL options. # # generate-host-certificates[=] # Dynamically create SSL server certificates for the # destination hosts of bumped CONNECT requests.When # enabled, the cert and key options are used to sign # generated certificates. Otherwise generated # certificate will be selfsigned. # If there is a CA certificate lifetime of the generated # certificate equals lifetime of the CA certificate. If # generated certificate is selfsigned lifetime is three # years. # This option is enabled by default when ssl-bump is used. # See the ssl-bump option above for more information. I did not find this to be the case and had to add it to my https_ports line: https_port bleh:3129 intercept generate-host-certificates=on ssl-bump cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key options=ALL Thank you. James signature.asc Description: This is a digitally signed message part
