correction use both acl for and use > ssl_bump peek step1 > miss_access deny no_miss > ssl_bump splice https_login > ssl_bump splice splice_only_mac splice_only > ssl_bump splice NoBumpDNS > ssl_bump splice NoSSLIntercept > ssl_bump bump bump_only_mac bump_only > ssl_bump terminate all # if its not on the list kill the connection
I did not know it could also check Layer 2 and Layer 3 addresses this way seems more secure Have a good day everyone > On Apr 22, 2024, at 16:52, Jonathan Lee <jonathanlee...@gmail.com> wrote: > > Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users > > I think this might resolve any container based issues/fears if they happened > to get into the cache. Ie a Docker Proxy got installed and tried to data > marshal the network card inside of a freeBSD jail or something like that. > Biggest fear with my cache it is a big cache now > > Please yet me know what you think or if it is wrong. > > Here is my configuration. I wanted to share it as it might help to secure > some of this. > > Keep in mine I use cachemgr.cgi within Squidlight so I had to set the > password and I have to also adapt the php status file to include the password > and also the sqlight php file. > > After that the status and gui pages work still with the new password. Only > issues area that it shows up in clear text when it goes over the proxy I can > see my password clear as day again that was an issue listed inside the Squid > O’REILLY book also. > > > I am amazed at the warm updates that was the original goal I was tired of > slow updates over and over again. > > # This file is automatically generated by pfSense > # Do not edit manually ! > > http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem > tls-cafile=/usr/local/share/certs/ca-root-nss.crt > capath=/usr/local/share/certs/ > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 > > http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem > tls-cafile=/usr/local/share/certs/ca-root-nss.crt > capath=/usr/local/share/certs/ > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 > > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem > tls-cafile=/usr/local/share/certs/ca-root-nss.crt > capath=/usr/local/share/certs/ > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 > > icp_port 0 > digest_generation off > dns_v4_first on > pid_filename /var/run/squid/squid.pid > cache_effective_user squid > cache_effective_group proxy > error_default_language en > icon_directory /usr/local/etc/squid/icons > visible_hostname Lee_Family.home.arpa > cache_mgr jonathanlee...@gmail.com > access_log /var/squid/logs/access.log > cache_log /var/squid/logs/cache.log > cache_store_log none > netdb_filename /var/squid/logs/netdb.state > pinger_enable on > pinger_program /usr/local/libexec/squid/pinger > sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s > /var/squid/lib/ssl_db -M 4MB -b 2048 > tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt > tls_outgoing_options capath=/usr/local/share/certs/ > tls_outgoing_options options=NO_SSLv3 > tls_outgoing_options > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > sslcrtd_children 10 > > logfile_rotate 0 > debug_options rotate=0 > shutdown_lifetime 3 seconds > # Allow local network(s) on interface(s) > acl localnet src 192.168.1.0/27 > forwarded_for transparent > httpd_suppress_version_string on > uri_whitespace strip > dns_nameservers 127.0.0.1 > acl getmethod method GET > acl to_ipv6 dst ipv6 > acl from_ipv6 src ipv6 > > tls_outgoing_options > cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE > > acl HttpAccess dstdomain '/usr/local/pkg/http.access' > acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate' > > acl rewritedoms dstdomain .facebook.com .akamaihd.net .fbcdn.net .google.com > .static.com .apple.com .oracle.com .sun.com .java.com .adobe.com > .steamstatic.com .steampowered.com .steamcontent.com .google.com > > store_id_program /usr/local/libexec/squid/storeid_file_rewrite > /var/squid/storeid/storeid_rewrite.txt > store_id_children 10 startup=5 idle=1 concurrency=0 > always_direct allow !getmethod > store_id_access deny connect > store_id_access deny !getmethod > store_id_access allow rewritedoms > reload_into_ims on > max_stale 20 years > minimum_expiry_time 0 > > > refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod > override-expire ignore-reload ignore-no-store ignore-private > > #FACEBOOK > refresh_pattern ^https.*.facebook.com/* 10080 80% 43200 override-expire > override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private > > #FACEBOOK IMAGES > refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 > 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% > 43200 override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 > store-stale override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200 > override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% > 43200 override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200 > override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > > #FACEBOOK VIDEO > refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200 > override-expire override-lastmod ignore-no-cache ignore-reload > reload-into-ims ignore-private > refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200 override-expire > override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private > > #APPLE STUFF > refresh_pattern -i > apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 > refresh-ims > > #apple update > refresh_pattern -i (download|adcdownload).apple.com/.*.(pkg|dmg) 4320 100% > 43200 > refresh_pattern -i appldnld.apple.com 129600 100% 129600 > refresh_pattern -i phobos.apple.com 129600 100% 129600 > refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600 > > # Updates: Windows > refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ > 4320 80% 43200 refresh-ims > refresh_pattern -i > windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% > 43200 refresh-ims > refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ > 4320 80% 43200 refresh-ims > refresh_pattern -i > microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 > refresh_pattern -i > windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% > 43200 > refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) > 4320 80% 43200 > refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200 > refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 > 100% 259200 > refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 > refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% > 43200 > refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 > refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320 > 100% 43200 > refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 > 100% 43200 > #windows update NEW UPDATE 0.04 > refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600 > refresh_pattern > ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) > 4320 100% 43200 > refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% > 43200 > refresh_pattern -i > .update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 > 100% 525600 > refresh_pattern -i > .windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% > 525600 > refresh_pattern -i > .download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 > 100% 525600 > refresh_pattern -i > .ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% > 525600 > > refresh_pattern > ([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.* > 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store > override-expire override-lastmod > refresh_pattern ([^.]+.)?.akamai.steamstatic.com/.*.* 43200 100% 43200 > reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod > > refresh_pattern -i ([^.]+.)?.adobe.com/.*.(zip|exe) 43200 100% 43200 > reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod > refresh_pattern -i ([^.]+.)?.java.com/.*.(zip|exe) 43200 100% 43200 > reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod > refresh_pattern -i ([^.]+.)?.sun.com/.*.(zip|exe) 43200 100% 43200 > reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod > refresh_pattern -i ([^.]+.)?.oracle.com/.*.(zip|exe|tar.gz) 43200 100% 43200 > reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod > > refresh_pattern -i appldnld.apple.com 43200 100% 43200 ignore-reload > ignore-no-store override-expire override-lastmod > refresh_pattern -i ([^.]+.)?apple.com/.*.(ipa) 43200 100% 43200 ignore-reload > ignore-no-store override-expire override-lastmod > > refresh_pattern -i ([^.]+.)?.google.com/.*.(exe|crx) 10080 80% 43200 > override-expire override-lastmod ignore-reload reload-into-ims ignore-private > refresh_pattern -i ([^.]+.)?g.static.com/.*.(exe|crx) 10080 80% 43200 > override-expire override-lastmod ignore-reload reload-into-ims ignore-private > > acl https_login url_regex -i ^https.*(login|Login).* > cache deny https_login > > range_offset_limit 512 MB windowsupdate > range_offset_limit 4 MB > range_offset_limit 0 > quick_abort_min -1 KB > > cache_mem 64 MB > maximum_object_size_in_memory 256 KB > memory_replacement_policy heap LFUDA > cache_replacement_policy heap LFUDA > minimum_object_size 0 KB > maximum_object_size 512 MB > cache_dir diskd /var/squid/cache 64000 256 256 > offline_mode off > cache_swap_low 90 > cache_swap_high 95 > acl donotcache dstdomain '/var/squid/acl/donotcache.acl' > cache deny donotcache > cache allow all > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > #Remote proxies > > > # Setup some default acls > # ACLs all, manager, localhost, and to_localhost are predefined. > acl allsrc src all > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 > 3129 1025-65535 > acl sslports port 443 563 8080 5223 2197 > > acl purge method PURGE > acl connect method CONNECT > > # Define protocols used for redirects > acl HTTP proto HTTP > acl HTTPS proto HTTPS > > # SslBump Peek and Splice > # http://wiki.squid-cache.org/Features/SslPeekAndSplice > # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > # Match against the current step during ssl_bump evaluation [fast] > # Never matches and should not be used outside the ssl_bump context. > # > # At each SslBump step, Squid evaluates ssl_bump directives to find > # the next bumping action (e.g., peek or splice). Valid SslBump step > # values and the corresponding ssl_bump evaluation moments are: > # SslBump1: After getting TCP-level and HTTP CONNECT info. > # SslBump2: After getting TLS Client Hello info. > # SslBump3: After getting TLS Server Hello info. > # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that > # they can be used there for custom configuration. > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > acl banned_hosts src '/var/squid/acl/banned_hosts.acl' > acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' > acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl' > http_access allow manager localhost > > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !safeports > http_access deny CONNECT !sslports > > # Always allow localhost connections > http_access allow localhost > > quick_abort_min 0 KB > quick_abort_max 0 KB > quick_abort_pct 95 > request_body_max_size 0 KB > delay_pools 1 > delay_class 1 2 > delay_parameters 1 -1/-1 -1/-1 > delay_initial_bucket_level 100 > delay_access 1 allow allsrc > > # Reverse Proxy settings > > deny_info TCP_RESET allsrc > > # Package Integration > url_rewrite_program /usr/local/bin/squidGuard -c > /usr/local/etc/squidGuard/squidGuard.conf > url_rewrite_bypass off > url_rewrite_children 32 startup=8 idle=4 concurrency=0 > > # Custom options before auth > #host_verify_strict on > > # These hosts are banned > http_access deny banned_hosts > # Always allow access to whitelist domains > http_access allow whitelist > # Block access to blacklist domains > http_access deny blacklist > # List of domains allowed to logging in to Google services > request_header_access X-GoogApps-Allowed-Domains deny all > request_header_add X-GoogApps-Allowed-Domains consumer_accounts > # Set YouTube safesearch restriction > acl youtubedst dstdomain -n www.youtube.com m.youtube.com > youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com > request_header_access YouTube-Restrict deny all > request_header_add YouTube-Restrict none youtubedst > acl sglog url_regex -i sgr=ACCESSDENIED > http_access deny sglog > # Custom SSL/MITM options before auth > cachemgr_passwd disable offline_toggle reconfigure shutdown > cachemgr_passwd REDACTED_CLASSIFIED all > eui_lookup on > acl no_miss url_regex -i gateway.facebook.com/ws/realtime? > acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat > acl CONNECT method CONNECT > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > http_access allow CONNECT wuCONNECT localnet > http_access allow CONNECT wuCONNECT localhost > http_access allow windowsupdate localnet > http_access allow windowsupdate localhost > http_access allow HttpAccess localnet > http_access allow HttpAccess localhost > http_access deny manager > http_access deny to_ipv6 > http_access deny from_ipv6 > > acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken' > acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch > sslproxy_cert_error deny all > > acl splice_only src 192.168.1.8 #Tasha iPhone > acl splice_only src 192.168.1.10 #Jon iPhone > acl splice_only src 192.168.1.11 #Amazon Fire > acl splice_only src 192.168.1.15 #Tasha HP > acl splice_only src 192.168.1.16 #iPad > > acl splice_only_mac arp REDACTED > acl splice_only_mac arp REDACTED > acl splice_only_mac arp REDACTED > acl splice_only_mac arp REDACTED > acl splice_only_mac arp REDACTED > > acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump' > acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump' > > acl markBumped annotate_client bumped=true > acl bump_only src 192.168.1.3 #webtv > acl bump_only src 192.168.1.4 #toshiba > acl bump_only src 192.168.1.5 #imac > acl bump_only src 192.168.1.9 #macbook > acl bump_only src 192.168.1.13 #dell > > acl bump_only_mac arp REDACTED > acl bump_only_mac arp REDACTED > acl bump_only_mac arp REDACTED > acl bump_only_mac arp REDACTED > acl bump_only_mac arp REDACTED > > > ssl_bump peek step1 > miss_access deny no_miss > ssl_bump splice https_login > ssl_bump splice splice_only_mac > ssl_bump splice NoBumpDNS > ssl_bump splice NoSSLIntercept > ssl_bump bump bump_only_mac > ssl_bump terminate all # if its not on the list kill the connection > > acl markedBumped note bumped true > url_rewrite_access deny markedBumped > > read_ahead_gap 64 KB > negative_ttl 1 second > connect_timeout 30 seconds > request_timeout 60 seconds > half_closed_clients off > shutdown_lifetime 10 seconds > negative_dns_ttl 1 seconds > ignore_unknown_nameservers on > pipeline_prefetch 100 > > #acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump' > #ssl_bump bump SSLIntercept > > # Setup allowed ACLs > # Allow local network(s) on interface(s) > http_access allow localnet > # Default block all to be sure > http_access deny allsrc
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users