Hi All, First week testing the transparent squid proxy on the Raspberry Pi is going well so far but I've hit a few snags that I was hoping someone might be able to advise on. My current (SSL) config is:
------------------------http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem acl nobumpserver ssl::server_name src "/etc/squid/nobump" acl step1 at_step SslBump1 ssl_bump peek nobumpserver ssl_bump splice nobumpserver ssl_bump stare step1 !nobumpserver ssl_bump bump !nobumpserver sslproxy_cafile /etc/squid/ssl_cert/ca-bundle.crt sslproxy_session_cache_size 0 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS I've also disabled caching for now since the little pi wasn't quite coping with it (I think the flash memory cards they use are a bit slow) and overall internet performance was suffering. ----------------------- My questions are: 1. Are there any techniques / acls to handle streaming content? Ideally I'd like all streaming content to be spliced not bumped 2. There seems to be a problem with sending larger content over bumped HTTPS (receiving is fine). For example WhatsApp and Snapchat receive messages and rich content fine and you can send messages fine but trying to send rich content like video or images fails with connection errors. 3. Skype doesn't seem to work unless you specify explicit proxy settings in the config (point it at the proxy server / 3130 port). Is this to be expected or could it be fixed in the config? 4. Sorry I know this is probably in the wiki but is there an acl for source (client) address? For devices like Smart TV where it is difficult to install the certificate it would be useful to set these to always splice Thanks very much! Olly oli...@lennox-it.uk lennox-it.uk tel: 07900 648 252 _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
