Answer the question
In order to leave comments, you need to log in
M
M
Maxim2015-11-16 10:54:57
Maxim, 2015-11-16 10:54:57
How to set up transparent proxying in sqiud using SSL Peek and Splice?
I'm trying to set up https proxying using SSL Peek and Splice as shown in Satya
's article
. But when I redirect all traffic to the squid, no https site opens. silence in the logs.
config.
acl terminals src 10.214.2.128/25
acl localnet src 192.168.1.0/24
acl vpnnet src 192.168.3.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
visible_hostname gateway
dns_nameservers 10.214.2.137
http_port 3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 3130 options=NO_SSLv3:NO_SSLv2
https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl break time MTWHF 12:00-13:00
acl night time MTWHF 08:00-17:00
acl anonymizers url_regex "/etc/squid/rules/anonymizers.acl"
acl dating url_regex "/etc/squid/rules/dating.acl"
acl fileshare url_regex "/etc/squid/rules/fileshare.acl"
acl porn url_regex "/etc/squid/rules/porn.acl"
acl social url_regex "/etc/squid/rules/social.acl"
acl umor url_regex "/etc/squid/rules/umor.acl"
acl open-win url_regex "/etc/squid/rules/open-win.acl"
acl js url_regex "/etc/squid/rules/js.acl"
acl games url_regex "/etc/squid/rules/games.acl"
acl fake url_regex "/etc/squid/rules/fake.acl"
acl 451 url_regex "/etc/squid/rules/451.acl"
acl test ssl::server_name .2ip.ru
acl step1 at_step SslBump1
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#######################
http_access allow all
#ssl
ssl_bump peek step1
ssl_bump terminate test
ssl_bump splice all
#no ssl
http_access deny open-win
http_access deny js
http_access deny fake
http_access deny 451
http_access deny anonymizers
http_access deny dating !break night
http_access deny fileshare !break night
http_access deny porn
http_access deny social !break night
http_access deny umor !break night
http_access deny games !break night
http_access allow localhost
http_access allow localnet
http_access allow terminals
http_access allow vpnnet
http_access deny all
##########################
cache_dir ufs /var/spool/squid 6249 16 256
maximum_object_size 10240 KB
cache_mgr [email protected]
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320"http_access allow all" in front of all rules for the duration of the test, there is no problem with regular http.
1 answer(s)
@maxpointn2point
N
Nikita Parfenovich, 2015-11-20 @maxpointn2point
Since you did according to my article, you should have noticed what is written at the end of it. I wrote that there are bugs in versions higher than 3.5.8 that are present up to 4.0.1 (I have not tested it yet). Install version 3.5.8 with Libressl 2.1.6. And everything will work as it should.
Similar questions
N
C
E
A
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question