I'm trying to setup squid for my wifi which mainly for cell phones and tv
box with ssl-bump for the sake of bandwidth saving and my kids
protection. Is it posible for squid to directly inject root CA as per
request by applications? As i found hardly to setup my root ca to cellphone
apps. I had tried install using user credentiall setup but its still failed
and impossible for me to reflash the android os just to install the CA cert
into the trusted credentialls table. I had try ssl_bump option combination
with no luck, peek and bump produce alot of handshake errors. Here's my
squid.conf, just guide me to the right way.
###################################################
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#http_port 3127 intercept
https_port 10.0.1.2:3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
dhparams=/etc/squid/ssl_cert/dhparam.pem
#############################################################
# tproxy setting
# ausearch -c 'squid' --raw | audit2allow -M my-squid
# semodule -i my-squid.pp
#http_port 10.0.1.2:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem version=1
options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
http_port 10.0.1.2:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
dhparams=/etc/squid/ssl_cert/dhparam.pem
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir aufs /var/spool/squid 5000 100 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
maximum_object_size 128000 KB
cache_swap_low 95
cache_swap_high 99
strip_query_terms off
# semanage fcontext -a -t FILE_TYPE 'index.txt'
# #where FILE_TYPE is one of the following: NetworkManager_tmp_t,
abrt_helper_exec
# # Then execute:
#restorecon -vr 'index.txt'
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_foreign_intermediate_certs /etc/squid/ssl_cert/myca.pem
#sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cafile /etc/squid/ssl_cert/myca.pem
sslproxy_cipher EECDH+ECDSA+AESGCM:E$
acl step1 at_step sslbump1
acl step2 at_step sslbump2
acl step3 at_step sslbump3
ssl_bump stare step1
ssl_bump peek step2
ssl_bump bump step3
# When a peek rule matches during step1, Squid proceeds to step2 where it
parses the TLS Client Hello and extracts SNI
# (if any). When a peek rule matches during step 2, Squid proceeds to step3
where it parses the TLS Server Hello
# and extracts server certificate while preserving the possibility of
splicing the client and server connections;
# peeking at the server certificate usually precludes future bumping (see
Limitations).
#ssl_bump peek all
# When a stare rule matches during step1, Squid proceeds to step2 where it
parses the TLS Client Hello and extracts SNI
# (if any). When a stare rule matches during step2, Squid proceeds to step3
where it parses the TLS Server Hello and extracts
# server certificate while preserving the possibility of bumping the client
and server connections; staring at the server
# certificate usually precludes future splicing (see Limitations).
#ssl_bump stare all
# Become a TCP tunnel without decoding the connection. The client and the
server exchange data as if there is no proxy in
# between. Step 1, 2 and sometime 3
#ssl_bump splice all
# Establish a TLS connection with the server (using client SNI, if any) and
establish a TLS connection with the client
# (using a mimicked server certificate). However, this is not what actually
happens right now if a bump rule matches during
# step1.
#ssl_bump bump all
# Close client and server connections.
#ssl_bump terminate all
acl ARCHIEVES url_regex -i
\.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)*
acl PICS url_regex -i \.(gif|png|jp?g|ico|bmp|tiff?)*
acl MOVIES url_regex -i
\.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd|ism?)*
acl FILES url_regex -i \.(html|htm|css|js)*
acl IDXS url_regex -i \.index.(html|htm)*
acl GV url_regex -i \.googlevideo\.com*
#never_direct allow ARCHIEVES
#never_direct allow PICS
#never_direct allow MOVIES
#never_direct allow FILES
#never_direct allow IDXS
cache allow ARCHIEVES
cache allow PICS
cache allow MOVIES
cache allow FILES
cache allow IDXS
cache allow GV
#never_direct deny alldst
#always_direct allow alldst
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)* 0 20% 2880
refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)* 10080 95% 43200
refresh_pattern -i
\.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)*
10080 90% 43200
refresh_pattern -i
\.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)* 43200 95% 432000
refresh_pattern -i \.(html|htm|css|js)* 1440 75% 40320
refresh_pattern -i \.index.(html|htm)* 0 75% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i \.googlevideo\.com* 43200 95% 432000
refresh_pattern . 1440 90% 10080
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB
dns_nameservers 10.0.1.2 192.168.19.2
visible_hostname ws1.ebedsat.net
shutdown_lifetime 3 second
via off
forwarded_for off
logformat logaccess [%{%d/%b/%Y %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm %ru
%un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log logaccess
#
# Add any of your own refresh_pattern entries above these.
#
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern . 0 20% 4320
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
