Hello, I'm trying to setup a Squid server simple as possible just to review the web use in office using the last stable version 3.5.7.
I setup the bridge with 2 NIC, br0 with IP 192.168.0.5 and I had disable IPv6 on boot in my Slackware Current (Fri Aug 14 2015) server. The script on the boot for Tproxy, routing, IPTables and EBTables: echo 50 > /proc/sys/vm/swappiness echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev lo table 100 echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5 --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 iptables -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5 --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3130 CLIENT_IFACE=eth1 INET_IFACE=eth0 ebtables -t broute -A BROUTING \ -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 \ -j redirect --redirect-target DROP ebtables -t broute -A BROUTING \ -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 \ -j redirect --redirect-target DROP ebtables -t broute -A BROUTING \ -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 443 \ -j redirect --redirect-target DROP I compiled squid from source: ./configure \ --prefix=/usr \ --libdir=/usr/lib64 \ --libexecdir=/usr/lib64/squid \ --sysconfdir=/etc/squid \ --localstatedir=/var/log/squid \ --sharedstatedir=/var/lib \ --datadir=/usr/share/squid \ --with-pidfile=/var/run/squid \ --mandir=/usr/man \ --with-logdir=/var/log/squid \ --enable-silent-rules \ --enable-dependency-tracking \ --with-openssl=/usr/include/openssl/ \ --enable-ssl \ --enable-ssl-crtd \ --enable-icmp \ --enable-delay-pools \ --enable-useragent-log \ --enable-esi \ --enable-follow-x-forwarded-for \ --enable-linux-netfilter \ --enable-forward-log \ --enable-poll \ --enable-referer-log \ --with-default-user=squid \ --enable-auto-locale \ --disable-ipv6 \ --build=X86_64-slackware-linux Generating the certificate: # openssl genrsa -out squid.key 2048 # openssl req -new -key squid.key -out squid.csr # openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt # cat squid.key squid.crt > squid.pem My squid.conf: acl localnet src 192.168.0.0/16 acl localhost src 192.168.0.5/32 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT acl ssl-bump_port myportname 3130 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access allow localnet http_access deny all http_reply_access allow all icp_access allow all tcp_outgoing_address 85.138.204.43 dns_v4_first on pinger_enable off http_port 3128 http_port 3129 tproxy https_port 3130 ssl-bump tproxy generate-host-certificates=off cert=/etc/squid/ssl/squid.pem cafile=/etc/squid/ssl/squid.pem always_direct allow ssl-bump_port ssl_bump none all dns_nameservers 8.8.8.8 8.8.4.4 access_log daemon:/var/log/squid/access.log squid cache deny all pid_filename /var/run/squid/squid.pid coredump_dir /var/log/squid/cache/squid visible_hostname myservername.domain.local In general the configuration (squid.conf) it's working but has some incomplete behaviors as shows in log files. access.log (I know this is Facebook but there are no dns resolusion in https, just IP): 1439811492.625 2377 192.168.0.102 TCP_TUNNEL/200 3574 CONNECT 31.13.90.2:443 - ORIGINAL_DST/31.13.90.2 - cache.log: HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: max-age=504747 Content-Type: application/ocsp-response Date: Mon, 17 Aug 2015 11:38:03 GMT ETag: "55d15943-1d7" Expires: Sun, 23 Aug 2015 23:38:03 GMT Last-Modified: Mon, 17 Aug 2015 03:47:15 GMT Server: ECS (mad/439C) X-Cache: HIT Content-Length: 471 X-Cache: MISS from squidhead2.skywalker.local Via: 1.1 squidhead2.skywalker.local (squid/3.5.7) Connection: keep-alive ---------- 2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable 2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable 2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable 2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(222) doAccept: New connection on FD 12 2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(297) acceptNext: connection on local=0.0.0.0:3130 remote=[::] FD 12 flags=25 2015/08/17 12:38:10.248 kid1| client_side.cc(3890) httpsSslBumpAccessCheckDone: sslBump not needed for local=31.13.90.2:443 remote=192.168.0.102 FD 50 flags=17 2015/08/17 12:38:10.248 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=31.13.90.2:443 remote=192.168.0.102 FD 50 flags=17 2015/08/17 12:38:10.248 kid1| client_side.cc(2338) parseHttpRequest: HTTP Client REQUEST: --------- CONNECT 31.13.90.2:443 HTTP/1.1 Host: 31.13.90.2:443 --------- 2015/08/17 12:38:10.248 kid1| client_side_request.cc(741) clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last ACL checked: localnet 2015/08/17 12:38:10.248 kid1| client_side_request.cc(717) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2015/08/17 12:38:10.248 kid1| client_side_request.cc(741) clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last ACL checked: localnet 2015/08/17 12:38:10.248 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for '31.13.90.2:443' 2015/08/17 12:38:10.248 kid1| peer_select.cc(281) peerSelectDnsPaths: always_direct = ALLOWED 2015/08/17 12:38:10.248 kid1| peer_select.cc(282) peerSelectDnsPaths: never_direct = DENIED 2015/08/17 12:38:10.248 kid1| peer_select.cc(288) peerSelectDnsPaths: ORIGINAL_DST = local=192.168.0.102 remote=31.13.90.2:443 flags=25 2015/08/17 12:38:10.248 kid1| peer_select.cc(295) peerSelectDnsPaths: timedout = 0 2015/08/17 12:38:12.621 kid1| client_side.cc(815) swanSong: local= 31.13.90.2:443 remote=192.168.0.102 flags=17 2015/08/17 12:38:12.625 kid1| client_side.cc(815) swanSong: local= 31.13.90.2:443 remote=192.168.0.102 flags=17 The logs with http (port 80) has the name resolution of navigation. I disabled pinger because give some error: 2015/08/17 12:49:55.918 kid1| Pinger socket opened on FD 20 2015/08/17 12:49:55.920 kid1| IcmpSquid.cc(90) SendEcho: to 127.0.0.1, opcode 1, len 9 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: netdb 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: asndb 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: carp 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: userhash 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: sourcehash 2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: server_list 2015/08/17 12:49:55| pinger: Initialising ICMP pinger ... 2015/08/17 12:49:55| icmp_sock: (1) Operation not permitted 2015/08/17 12:49:55| pinger: Unable to start ICMP pinger. 2015/08/17 12:49:55| FATAL: pinger: Unable to open any ICMP sockets. This is my cache.log after reload squid: 2015/08/17 12:51:26| Set Current Directory to /var/log/squid/cache/squid 2015/08/17 12:51:27 kid1| Reconfiguring Squid Cache (version 3.5.7)... 2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3128 2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3129 2015/08/17 12:51:27 kid1| Closing HTTPS port 0.0.0.0:3130 2015/08/17 12:51:27 kid1| Closing Pinger socket on FD 20 2015/08/17 12:51:27.320 kid1| Gadgets.cc(99) authenticateReset: Reset authentication State. 2015/08/17 12:51:27.320 kid1| Logfile: closing log daemon:/var/log/squid/access.log 2015/08/17 12:51:27.320 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log 2015/08/17 12:51:27.320 kid1| Startup: Initializing Authentication Schemes ... 2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'basic' 2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'digest' 2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'negotiate' 2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'ntlm' 2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication. 2015/08/17 12:51:27.320 kid1| RegexData.cc(303) aclParseRegexList: aclParseRegexList: new Regex line or file 2015/08/17 12:51:27.320 kid1| RegexData.cc(194) compileOptimisedREs: compileOptimisedREs: -i 2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs: compileOptimisedREs: adding RE '^cache_object://' 2015/08/17 12:51:27.320 kid1| RegexData.cc(208) compileOptimisedREs: compileOptimisedREs: +i 2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE: compiled '(^cache_object://)' with flags 11 2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs: compileOptimisedREs: adding RE '^https?://[^/]+/squid-internal-mgr/' 2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE: compiled '(^https?://[^/]+/squid-internal-mgr/)' with flags 9 2015/08/17 12:51:27.320 kid1| RegexData.cc(261) compileOptimisedREs: compileOptimisedREs: 2 REs are optimised into one RE. 2015/08/17 12:51:27.320 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3129 (TPROXY enabled) 2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3130 (TPROXY enabled) 2015/08/17 12:51:27.320 kid1| Initializing https proxy context 2015/08/17 12:51:27.320 kid1| Initializing https_port 0.0.0.0:3130 SSL context 2015/08/17 12:51:27.320 kid1| Using certificate in /etc/squid/ssl/squid.pem 2015/08/17 12:51:27.330 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: config 2015/08/17 12:51:27.330 kid1| main.cc(803) mainReconfigureFinish: running RegisteredRunner::syncConfig 2015/08/17 12:51:27.331 kid1| errorpage.cc(312) tryLoadTemplate: wildcard fallback errors not coded yet. 2015/08/17 12:51:27.331 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2015/08/17 12:51:27.331 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2015/08/17 12:51:27.331 kid1| Squid plugin modules loaded: 0 2015/08/17 12:51:27.331 kid1| Adaptation support is off. 2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation services 2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation service groups 2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation access rules 2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: store_log_tags 2015/08/17 12:51:27.332 kid1| Store logging disabled 2015/08/17 12:51:27.332 kid1| dns_internal.cc(1534) dnsInit: idnsInit: attempt open DNS socket to: 0.0.0.0 2015/08/17 12:51:27.332 kid1| DNS Socket created at 0.0.0.0, FD 11 2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.8.8 from squid.conf 2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.4.4 from squid.conf 2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: idns 2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: external_acl 2015/08/17 12:51:27.332 kid1| wccp.cc(112) wccpConnectionOpen: WCCPv1 disabled. 2015/08/17 12:51:27.332 kid1| wccp2.cc(960) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured. 2015/08/17 12:51:27.332 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0ea40 [call62031] 2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local= 0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0) [call62031] 2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0eb50 [call62033] 2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local= 0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0) [call62033] 2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0ec60 [call62035] 2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local= 0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0) [call62035] 2015/08/17 12:51:27.333 kid1| HTCP Disabled. 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: netdb 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: asndb 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: carp 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: userhash 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: sourcehash 2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: server_list 2015/08/17 12:51:27.333 kid1| Finished loading MIME types and icons. 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0) 2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62031] 2015/08/17 12:51:27.343 kid1| Accepting HTTP Socket connections at local= 0.0.0.0:3128 remote=[::] FD 12 flags=9 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0) 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0) 2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62033] 2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 16 flags=25 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0) 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0) 2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62035] 2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3130 remote=[::] FD 20 flags=25 2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0) Do I have to setup local DNS server? the internal DNS of squid can't handle https in Tproxy? What's missing to have name resolution in https traffic as its showed in http traffic? Thanks for your time helping me.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users