Dear,
I compiled Squid 3.3.3 on a Debian 7 with the --enable-ssl and
--enable-ssl-crtd.
I wish Squid exhibit an error message to the user to access a blocked
page, for example https://www.facebook.com
It worked more or less: imported the root certificate in the browser and
access an HTTPS site when the certificate is displayed correctly.
With the option 'ssl-server-first bump all' active site is not displayed
correctly. The logs showed, for example:
1363716588.893 364 192.168.0.52 TCP_MISS/200 24765 GET
https://www.google.com.br/ - PINNED/2800:3f0:4001:804::101f text/html
Then I applied the following patch:
http://master.squid-cache.org/ amosjeffries ~ / patches /
pinning_hier_note.patch
Now there is no more PINNED displayed in the logs, but even so the sites
do not display correctly.
By accessing facebook.com first is the message's default browser: there
are connection problems. Pressing F5 displays properly Squid page with
the message Access Denied.
Below my squid.conf:
#
# Recommended minimum configuration:
#
# Example rule Allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# Should be allowed
acl localnet src 10.0.0.0 / 8 # RFC1918 Possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 Possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 Possible internal network
acl localnet src FC00 :: / 7 # RFC 4193 private network range site
acl localnet src fe80 :: / 10 # RFC 4291 link-local (Directly plugged)
machines
SSL_ports port 443 acl
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # http multiling
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow access from localhost cachemgr
http_access allow manager localhost
http_access deny manager
# Deny requests to Certain unsafe ports
http_access deny! Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT! SSL_ports
# We strongly recommend The Following be uncommented to protect innocent
# Web applications running on the proxy server who think the only
# One who can access services on "localhost" is a local user
# Http_access deny to_localhost
#
# INSERT YOUR OWN RULE (S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl block url_regex .facebook.com
http_access deny block
# Example rule Allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# From where browsing Should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Normally Squid listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size 4MB cert=/etc/squid3/ssl_cert/bnpapel.pem
sslcrtd_program /usr/src/squid-3.3.3/src/ssl/ssl_crtd-s
/etc/squid3/ssl_cert/ssl_db-M 4MB
sslcrtd_children 5
# # SSL Settings
ssl_bump first-server all
sslproxy_cert_error deny all
# Uncomment and adjust the Following to add a disk cache directory.
# Cache_dir ufs / var / cache / squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir / var / cache / squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ ftp:1440 20 10 080%
refresh_pattern ^ gopher: 1440 0% 1440
refresh_pattern-i (/ cgi-bin / | \?) 0 0% 0
refresh_pattern. 0 20% 4320
Received on Tue Mar 19 2013 - 19:27:58 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 20 2013 - 12:00:06 MDT