Answer the question
In order to leave comments, you need to log in
J
J
Jordan-CG2018-05-17 15:03:48
Jordan-CG, 2018-05-17 15:03:48
Squid4+HTTPS (no certificate spoofing) - Why doesn't filtering https traffic work?
Good
squid v.4 is built with https support (without changing certificates). On clients in the browser, group policies prescribe wpad.dat. Unable to terminate connections with "ssl_bump terminate blocked".
llblocked_https.txt
-rw-r--r--. 1 root squid 19 May 14 18:43 /etc/squid/acl/blocked_https.txt
-rw-r--r--. 1 root squid 19 May 14 18:43 /etc/squid/acl/blocked_https.txt
Squid -v
Squid Cache: Version 4.0.24
Service Name: squid
This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--enable-async-io=8' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--disable-maintainer-mode' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=kerberos_ldap_group,wbinfo_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--without-nettle' '--enable-ltdl-convenience' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC'
Squid Cache: Version 4.0.24
Service Name: squid
This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--enable-async-io=8' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--disable-maintainer-mode' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=kerberos_ldap_group,wbinfo_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--without-nettle' '--enable-ltdl-convenience' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC'
squid.conf
auth_param negotiate program /usr/local/bin/negotiate_wrapper --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/[email protected] --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -P -R -b "dc=sth,dc=local" -D [email protected] -W /etc/squid/basic_auth_pass -f sAMAccountName=%s -h dc-srv-1.sth.local dc-2.sth.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication"
auth_param basic credentialsttl 2 hours
external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -v 3 -P -R -K -b "DC=sth,DC=local" -D "[email protected]" -W /etc/squid/basic_auth_pass -f "(&(objectclass=person)(sAMAccountName=%v)(memberof:$
acl auth proxy_auth REQUIRED
acl InternetDeny external memberof "/etc/squid/acl/group_deny"
acl InternetFull external memberof "/etc/squid/acl/group_full"
acl InternetDenyByBlackList external memberof "/etc/squid/acl/group_deny_by_blacklist"
acl InternetAllowByWhiteList external memberof "/etc/squid/acl/group_allow_by_whitelist"
acl SitesAllow dstdomain "/etc/squid/acl/sites_allow"
acl SitesDeny dstdomain "/etc/squid/acl/sites_deny"
acl SitesPriority dstdomain "/etc/squid/acl/sites_priority"
acl WUServersLocal src "/etc/squid/acl/computers_wsus"
acl WUSitesGlobal dstdomain "/etc/squid/acl/sites_wsus"
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
dns_nameservers 10.255.200.3
dns_nameservers 192.168.1.12
acl blacklist url_regex -i "/etc/squid/acl/blacklist_all.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blacklist localnet
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet CONNECT
http_access allow localhost
http_access allow WUSitesGlobal WUServersLocal
http_access allow SitesPriority localnet
http_access deny !auth
http_access deny InternetDeny all
http_access allow SitesAllow localnet
http_access deny InternetAllowByWhiteList
http_access allow InternetFull auth localnet
http_access deny SitesDeny localnet
http_access allow InternetDenyByBlackList
http_access allow localnet #for allow tcp_denied 407
http_access deny all
tls_outgoing_options min-version=1.0
http_port 3128 #intercept #options=ALL:NO_SSLv3:NO_SSLv2 ssl-bump connection-auth=off tls-cert=/etc/squid/squidCA.pem
https_port 127.0.0.1:3129 intercept ssl-bump connection-auth=off generate-host-certificates=off tls-cert=/etc/squid/squidCA.pem
http_port 3130 #options=ALL:NO_SSLv3:NO_SSLv2 # disabled by rfc6178
sslproxy_cert_error allow all
tls_outgoing_options flags=DONT_VERIFY_DOMAIN
always_direct allow all
acl blocked ssl::server_name "/etc/squid/acl/blocked_https.txt"
acl nobumpSites ssl::server_name "/etc/squid/acl/nobump_sites.txt" #
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
cache_mem 4096 MB
maximum_object_size_in_memory 4096 MB
minimum_object_size 3 KB
cache_replacement_policy heap GDSF
cache_dir aufs /var/spool/squid 20000 49 256
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
cache_log /var/log/squid/cache.log
debug_options ALL #,3
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr [email protected]
httpd_suppress_version_string on
visible_hostname PROXY
error_directory /usr/share/squid/errors/ru
error_default_language ru
dns_v4_first on
acl to_ipv6 dst ipv6
tcp_outgoing_address 10.255.0.122 !to_ipv6
forwarded_for delete
auth_param negotiate program /usr/local/bin/negotiate_wrapper --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/[email protected] --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off
auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -P -R -b "dc=sth,dc=local" -D [email protected] -W /etc/squid/basic_auth_pass -f sAMAccountName=%s -h dc-srv-1.sth.local dc-2.sth.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication"
auth_param basic credentialsttl 2 hours
external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -v 3 -P -R -K -b "DC=sth,DC=local" -D "[email protected]" -W /etc/squid/basic_auth_pass -f "(&(objectclass=person)(sAMAccountName=%v)(memberof:$
acl auth proxy_auth REQUIRED
acl InternetDeny external memberof "/etc/squid/acl/group_deny"
acl InternetFull external memberof "/etc/squid/acl/group_full"
acl InternetDenyByBlackList external memberof "/etc/squid/acl/group_deny_by_blacklist"
acl InternetAllowByWhiteList external memberof "/etc/squid/acl/group_allow_by_whitelist"
acl SitesAllow dstdomain "/etc/squid/acl/sites_allow"
acl SitesDeny dstdomain "/etc/squid/acl/sites_deny"
acl SitesPriority dstdomain "/etc/squid/acl/sites_priority"
acl WUServersLocal src "/etc/squid/acl/computers_wsus"
acl WUSitesGlobal dstdomain "/etc/squid/acl/sites_wsus"
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
dns_nameservers 10.255.200.3
dns_nameservers 192.168.1.12
acl blacklist url_regex -i "/etc/squid/acl/blacklist_all.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blacklist localnet
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet CONNECT
http_access allow localhost
http_access allow WUSitesGlobal WUServersLocal
http_access allow SitesPriority localnet
http_access deny !auth
http_access deny InternetDeny all
http_access allow SitesAllow localnet
http_access deny InternetAllowByWhiteList
http_access allow InternetFull auth localnet
http_access deny SitesDeny localnet
http_access allow InternetDenyByBlackList
http_access allow localnet #for allow tcp_denied 407
http_access deny all
tls_outgoing_options min-version=1.0
http_port 3128 #intercept #options=ALL:NO_SSLv3:NO_SSLv2 ssl-bump connection-auth=off tls-cert=/etc/squid/squidCA.pem
https_port 127.0.0.1:3129 intercept ssl-bump connection-auth=off generate-host-certificates=off tls-cert=/etc/squid/squidCA.pem
http_port 3130 #options=ALL:NO_SSLv3:NO_SSLv2 # disabled by rfc6178
sslproxy_cert_error allow all
tls_outgoing_options flags=DONT_VERIFY_DOMAIN
always_direct allow all
acl blocked ssl::server_name "/etc/squid/acl/blocked_https.txt"
acl nobumpSites ssl::server_name "/etc/squid/acl/nobump_sites.txt" #
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
cache_mem 4096 MB
maximum_object_size_in_memory 4096 MB
minimum_object_size 3 KB
cache_replacement_policy heap GDSF
cache_dir aufs /var/spool/squid 20000 49 256
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
cache_log /var/log/squid/cache.log
debug_options ALL #,3
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr [email protected]
httpd_suppress_version_string on
visible_hostname PROXY
error_directory /usr/share/squid/errors/ru
error_default_language ru
dns_v4_first on
acl to_ipv6 dst ipv6
tcp_outgoing_address 10.255.0.122 !to_ipv6
forwarded_for delete
1 answer(s)
@tamogavk
D
Denis Sechin, 2018-05-17 @tamogavk
It worked for me on version Squid 3.5.8 and only, on versions above, it either lags or does not work at all.
Similar questions
R
Z
S
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question