D
D
Denis Sechin2017-08-30 15:59:26
linux
Denis Sechin, 2017-08-30 15:59:26

Squid 3.5.12 transparent without certificate spoofing ubuntu 16 problems with facebook etc?

I got squid 3.5.12 with support for open-ssl 1.0.2g on ubuntu 16, It seems to work, but there are problems with access, for example, it doesn’t go to facebook, and even if it goes to the main page, it’s impossible to follow the urls, it doesn’t work for me personally such a site olx.ua, sometimes gmail falls off. In the logs in the cache, this is constantly pouring:


SECURITY ALERT: By user agent:
2017/08/30 13:42:14.268 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/08/30 13:42:14.424 kid1| SECURITY ALERT: Host header forgery detected on local=18.194.13.28:443 remote=10.49.1.230:50963 FD 1094 flags=33 (local IP does not match any domain IP)
2017/08/30 13:42:14.424 kid1| SECURITY ALERT: By user agent:

Here is the config:

I omit standard directives
http_port 10.10.1.254:3128 intercept options=NO_SSLv3:NO_SSLv2
https_port 10.10.1.254:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem
http_port 10.10. 1.254:3130 options=NO_SSLv3:NO_SSLv2
dns-nameserver 127.0.0.1
# Accept certificates even if they fail validation.
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#----------------------------------------- -----------------
#https............................... ..
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked !localnet
ssl_bump splice all
acl step2 at_step SslBump2
acl step3 at_step SslBump3
#--------------------------------- --------------------
#-----------Don't bump---------- ----------------------------
acl nobumpSites ssl::server_name "/etc/squid/ssl_nobump.url"
ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump bump all

Who is struggling with this? very grateful

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Denis Sechin, 2017-09-01
@tamogavk

Version 3.5.12 is buggy, you need to build 3.5.8 with openssl, everything works

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question