Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Andrew2021-11-04 23:15:16
Squid
Andrew, 2021-11-04 23:15:16

Squid 4.13 transparent proxy without certificate spoofing, ssl_error_rx_record_too_long, what_am_I_doing_wrong?

Squid in transparent proxy mode without certificate substitution via https normally opens gosuslugi.ru and heaps of other sites, but classmates, VKontakte, YouTube and a bunch of others give a hack with an error in FF: ssl_error_rx_record_too_long. I have no problems with http. There are no such problems on squid 3.5.8 prepared according to the recipe on Habré, I try to use modern Debian11 and there is version 4.13-10 in turnips, but I rebuilt it with options for https. For those who have the opportunity to help me, I'll post a simplified config with a minimum of filtering.

workers 2
dns_nameservers 127.0.0.1

acl localnet src 10.15.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128 intercept
http_port 3130
https_port 3129 intercept ssl-bump connection-auth=off cert=/etc/squid/squidca_dron.pem

cache deny all
always_direct allow all
sslproxy_cert_error allow all

#укажем правило со списком блокируемых ресурсов (в файле домены вида .domain.com)
acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1

#терминируем соединение, если клиент заходит на запрещенный ресурс
ssl_bump terminate blocked 
ssl_bump splice all

#openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout squidca_dron.pem -out squidca_dron.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_dir aufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB

cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4

dns_v4_first on

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
N
Nikolai Savelyev2017-05-24 09:56:58
Why does firefox stop working? 1Reply
P
Prog2017-06-19 15:14:43
Building squid 3.5.26 on Debian jessie, compilation error? 2Reply
E
Egor Mikheev2015-07-16 01:27:07
What are some lightweight alternatives to squid? 1Reply
I
Ivan Semenov2017-08-21 09:52:33
How to configure Dansguardian to correctly filter the page by phrases? 0Reply
E
Evgeny Petryaev2020-02-07 13:30:57
Search history by ip? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question