Hello!
Can you help me with correct settings for squid to use skype ?
My current config.
# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads'
'--with-included-ltdl' '--disable-arch-native' '--enable-ecap'
'--without-nettle' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience
#cat squid.conf
http_port 3128 options=NO_SSLv3:NO_SSLv2
http_port 192.168.10.240:3125 intercept options=NO_SSLv3:NO_SSLv2
https_port 192.168.10.240:3126 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2
connection-auth=off cert=/opt/squid_certs/squid.pem
key=/opt/squid_certs/squid.pem dhparams=/opt/squid_certs/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
sslproxy_cipher HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/lists/url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#cat /etc/squid/lists/url.nobump
microsoft\.com
update\.microsoft\.com
update\.microsoft\.com\.akadns\.net
mobile\.pipe\.aria\.microsoft\.com
prd\.col\.aria.mobile\.skypedata\.akadns\.net
pipe\.skype\.com
pipe\.prd\.skypedata\.akadns\.net
api\.asm\.skype\.com
apps\.skype\.com
wildcard\.skype\.com\.edgekey\.net
e4593\.g\.akamaiedge\.net
\.skype\.com
\.skypeassets\.com
etag\.prod\.registrar\.skype\.com
prod\.registrar\.skype\.com
go\.trouter\.io
With this setup I have problem with group chats, calls and attachments in
messages.
Attachments sended, but not delivered to respondent.
Unable to create group chats and if it created, what respondents do not see the
chat or can not make calls.
I tried add IP regexp to access list, but after that all https traffic was
spliced.
Skype work well when I change ssl_bump bump all to ssl_bump splice all
How can I exclude skype from SSL bumping ?
Thank you.
--
Evgeniy Kononov
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
