Hi,
Thank you for looking at my question.
I dowloaded the squid 4.6 source code from
http://ftp.debian.org/debian/pool/main/s/squid/ and selected
squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and
squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to
DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and
--enable-ssl-crtd.
The squid -v output is :
Squid Cache: Version 4.6
Service Name: squid
Raspbian linux
This binary uses OpenSSL 1.0.2q 20 Nov 2018. For legal restrictions
on distribution see https://www.openssl.org/source/license.html
configure options: '--build=arm-linux-gnueabihf' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2
-fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security
-Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++'
'--with-build-environment=default' '--enable-build-info=Raspbian
linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man'
'--enable-inline' '--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,SMB_LM'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap'
'--disable-translation' '--with-swapdir=/var/spool/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-gnutls' '--with-openssl'
'--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter'
'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc'
'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2
-fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security'
When I run openssl version I get 1.1.1d.
I hope it helps.
Best regards,
JF
Le 03/01/2021 à 21:55, ngtech1...@gmail.com a écrit :
Hey,
I am missing a bit of the context, like:
Did you self compiled squid? Is it from the OS repository?
Squid -v might help a bit to understand what you do have enabled in
your Squid.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
Zoom: Coming soon
*From:* squid-users <squid-users-boun...@lists.squid-cache.org> *On
Behalf Of *jean francois hasson
*Sent:* Thursday, December 31, 2020 11:10 AM
*To:* squid-users@lists.squid-cache.org
*Subject:* [squid-users] Setting up a transparent http and https proxy
server using squid 4.6
Hi,
I am trying to create for my home network a transparent proxy to
implement filtering rules based on website names mainly.
I have been looking at using a Raspberry pi 3B+ running pi OS. I
configured it to be a Wifi access point using RaspAP quick install.
The Wifi network on which the filtering option is to be implemented is
with IP 10.3.141.xxx. The router is at address 10.3.141.1.
I have the following squid.conf file which I tried to create based on
different mails, websites and blogs I read :
acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#Le réseau local
acl LocalNet src 10.3.141.0/24
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all
#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
tls-cert=/etc/squid/cert/example.crt \
tls-key=/etc/squid/cert/example.key \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy
If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device
connected to the access point, I can't connect to the internet. If I
leave the manual proxy configuration it does work and there is
activity logged in /var/log/squid/access.log.
Please let me know what might be wrong in my configuration if possible.
Best regards,
JF
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
