Re: [squid-users] Re: SSL Sites bypass interception

El 02/06/12 17:02, Jambaz escribió:
> Hi my friends , and thanks for your helps
Hi!, my replies are inline

> I have followed your suggest...but when i try to start squid it give me an
> error like:
>
> FATAL: Bungled squid.conf line 48: http_port 3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid3/ssl_cert/cert.pem
> Squid Cache (Version 3.1.19): Terminated abnormally.
> CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
> Maximum Resident Size: 13488 KB
> Page faults with physical i/o: 0
I think this is the exact error you get when you have squid compiled without
"--enable-ssl --enable-ssl-crtd" configure switches.

>
> From the guid that you have me posted , i have don't very well understand ,
> when it tell me to prepare directory for caching certificates:
>
> /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db
>
> i have to create first this directory or i have to use the directory in the
> squid.conf ?
You have to use this command "ssl_crtd" to get the directory created, later you
should be sure that the OS user that executes squid (proxy in debian for
example) have perms on this new created dir and after that you have to use it in
squid.conf.

>
> i also don't found where i have to use this command ./configure
> --enable-ssl --enable-ssl-crtd , sorry for this question
This command have to be used with the source of squid before compile with make
and install with make install, i usually change the configure flags of the
debian or ubuntu source package and install it better than directly with make
but it is a matter of taste.

> here is my squid.conf
>
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl lan src 192.168.1.50/32 192.168.2.0/24
> auth_param ntlm children 30
> auth_param ntlm keep_alive on
> acl SSL_ports port 443 # https
> acl Safe_ports port 25 # smtp
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 111 # ftp 2
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 3306 # MySql
> acl Safe_ports port 9100 # Stampante
> #acl broken_sites dstdomain .facebook.com
> acl purge method PURGE
> acl CONNECT method CONNECT
> #acl bad_url dstdomain "/etc/squid3/bad-sites.squid"
> #acl blockfiles urlpath_regex "/etc/squid3/blockfiles.squid"
> #ssl_bump deny broken_sites
> #ssl_bump allow all
> http_access allow lan
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> # http_access deny bad_url
> # http_access deny blockfiles
> # http_access deny reqmsn
> # http_reply_access deny repmsn
> http_access allow localhost
> http_access deny all
> http_port 3128 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
> #http_port 3130 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
> ssl_bump allow all
> always_direct allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> #sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 32
> icp_access allow lan
> icp_access deny all
> ie_refresh on
> visible_hostname localhost
> hosts_file /etc/hosts
> # dns_nameservers 192.168.2.100 192.168.2.101 151.99.125.1 151.99.125.3
> coredump_dir /var/spool/squid3
> maximum_object_size 16 MB
> cache_mem 32 MB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap LFUDA
> cache_dir ufs /var/spool/squid 15000 16 256
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
> store_avg_object_size 50 KB
> url_rewrite_children 30
> redirect_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
> redirect_children 30
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Sites-bypass-interception-tp4655164p4655244.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sat Jun 02 2012 - 16:17:38 MDT