Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

Thu, 11 Jul 2024 16:50:37 -0700 

> I recommend changing your main port to this:
> 
>   http_port 3128 ssl-bump ....

This is set to this when it processes

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

> and receiving the intercepted traffic on:
> 
>  http_port 3129 intercept ssl-bump …

Do you mean https?

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem 
cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ 
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
 tls-dh=prime256v1:/etc/dh-parameters.2048 
options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
Https uses that port 3129

What should I adapt 

http_port 
https_port?



> On Jul 11, 2024, at 14:49, Amos Jeffries <squ...@treenet.co.nz> wrote:
> 
> Oh, I see the problem:
> 
>  http_port 127.0.0.1:3128 intercept ...
> 
> (which also means you lack a firewall rule preventing external software like 
> squidclient from sending traffic directly to your intercept port.)
> 
> 
> Please **do not** use port 3128 to receive intercepted traffic.
> 
> 
> I recommend changing your main port to this:
> 
>   http_port 3128 ssl-bump ....
> 
> and receiving the intercepted traffic on:
> 
>  http_port 3129 intercept ssl-bump ...
> 
> 
> and check your firewall has all the rules listed at 
> <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.
> One to note in particular is the "mangle" table rule.
> 
> 
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to