if (empty($settings['sslproxy_compatibility_mode']) ||
($settings['sslproxy_compatibility_mode'] == 'modern')) {
// Modern cipher suites
$sslproxy_cipher =
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS";
$sslproxy_options .= ",NO_TLSv1";
} else {
$sslproxy_cipher =
"EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
}
Should the RC4 be removed or allowed?
https://github.com/pfsense/FreeBSD-ports/pull/1365
> On Apr 4, 2024, at 18:17, Amos Jeffries <squ...@treenet.co.nz> wrote:
>
> On 4/04/24 17:48, Jonathan Lee wrote:
>> Is there any particular order to squid configuration??
>
> Yes. <https://wiki.squid-cache.org/SquidFaq/OrderIsImportant>
>
>
>> Does this look correct?
>
> Best way to find out is to run "squid -k parse", which should be done after
> upgrades as well to identify and fix changes between versions as we improve
> the output.
>
>
>> I actually get allot of hits and it functions amazing, so I wanted to share
>> this in case I could improve something. Is there any issues with security?
>
> Yes, the obvious one is "DONT_VERIFY_PEER" disabling TLS security entirely on
> outbound connections. That particular option will prevent you even being told
> about suspicious activity regarding TLS.
>
> Also there are a few weird things in your TLS cipher settings, such as this
> sequence " EECDH+aRSA+RC4:...:!RC4 "
> Which as I understand, enables the EECDH with RC4 hash, but also forbids all
> uses of RC4.
>
>
>> I am concerned that an invasive container could become installed in the
>> cache and data marshal the network card.
>
> You have a limit of 4 MB for objects allowed to pass through this proxy,
> exception being objects from domains listed in the "windowsupdate" ACL (not
> all Windows related) which are allowed up to 512 MB.
>
> For the general case, any type of file which can store an image of some
> system is a risk for that type of vulnerability can be cached.
>
> The place to fix that vulnerability properly is not the cache or Squid. It is
> the OS permissions allowing non-Squid software access to the cache files
> and/or directory.
>
>
>
>> Here is my config
>> # This file is automatically generated by pfSense
>> # Do not edit manually !
>
> Since this file is generated by pfsense there is little that can be done
> about ordering issues and very hard to tell which of the problems below are
> due to pfsense and which due toy your settings.
>
> FWIW, there are no major issues, just some lines not being necessary due to
> setting things to their default values, or just some blocks already denyign
> things that are blocked previously.
>
>
>> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls-dh=prime256v1:/etc/dh-parameters.2048
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls-dh=prime256v1:/etc/dh-parameters.2048
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem
>> cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls-dh=prime256v1:/etc/dh-parameters.2048
>> options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> icp_port 0
>> digest_generation off
>> dns_v4_first on
>> pid_filename /var/run/squid/squid.pid
>> cache_effective_user squid
>> cache_effective_group proxy
>> error_default_language en
>> icon_directory /usr/local/etc/squid/icons
>> visible_hostname ****
>> cache_mgr ****
>> access_log /var/squid/logs/access.log
>> cache_log /var/squid/logs/cache.log
>> cache_store_log none
>> netdb_filename /var/squid/logs/netdb.state
>> pinger_enable on
>> pinger_program /usr/local/libexec/squid/pinger
>> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
>> /var/squid/lib/ssl_db -M 4MB -b 2048
>> tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
>> tls_outgoing_options capath=/usr/local/share/certs/
>> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>> tls_outgoing_options
>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> tls_outgoing_options flags=DONT_VERIFY_PEER
>> sslcrtd_children 10
>> logfile_rotate 0
>> debug_options rotate=0
>> shutdown_lifetime 3 seconds
>> # Allow local network(s) on interface(s)
>> acl localnet src 192.168.1.0/27
>> forwarded_for transparent
>> httpd_suppress_version_string on
>> uri_whitespace strip
>> acl getmethod method GET
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> <http://windowsupdate.microsoft.com/>
>> acl windowsupdate dstdomain .update.microsoft.com
>> <http://update.microsoft.com/>
>> acl windowsupdate dstdomain download.windowsupdate.com
>> <http://download.windowsupdate.com/>
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> <http://redir.metaservices.microsoft.com/>
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> <http://images.metaservices.microsoft.com/>
>> acl windowsupdate dstdomain c.microsoft.com <http://c.microsoft.com/>
>> acl windowsupdate dstdomain www.download.windowsupdate.com
>> <http://www.download.windowsupdate.com/>
>> acl windowsupdate dstdomain wustat.windows.com <http://wustat.windows.com/>
>> acl windowsupdate dstdomain crl.microsoft.com <http://crl.microsoft.com/>
>> acl windowsupdate dstdomain sls.microsoft.com <http://sls.microsoft.com/>
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> <http://productactivation.one.microsoft.com/>
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>> <http://ntservicepack.microsoft.com/>
>> acl windowsupdate dstdomain dc1-st.ksn.kaspersky-labs.com
>> <http://dc1-st.ksn.kaspersky-labs.com/>
>> acl windowsupdate dstdomain dc1-file.ksn.kaspersky-labs.com
>> <http://dc1-file.ksn.kaspersky-labs.com/>
>> acl windowsupdate dstdomain dc1.ksn.kaspersky-labs.com
>> <http://dc1.ksn.kaspersky-labs.com/>
>> acl rewritedoms dstdomain .facebook.com <http://facebook.com/> .akamaihd.net
>> <http://akamaihd.net/> .fbcdn.net <http://fbcdn.net/> .google.com
>> <http://google.com/> .static.com <http://static.com/> .apple.com
>> <http://apple.com/> .oracle.com <http://oracle.com/> .sun.com
>> <http://sun.com/> .java.com <http://java.com/> .adobe.com
>> <http://adobe.com/> .steamstatic.com
>> <http://steamstatic.com/>.steampowered.com <http://steampowered.com/>
>> .steamcontent.com <http://steamcontent.com/> .google.com <http://google.com/>
>> store_id_program /usr/local/libexec/squid/storeid_file_rewrite
>> /var/squid/storeid/storeid_rewrite.txt
>> store_id_children 10 startup=5 idle=1 concurrency=0
>> always_direct allow !getmethod
>> store_id_access deny connect
>> store_id_access deny !getmethod
>> store_id_access allow rewritedoms
>> reload_into_ims on
>> max_stale 20 years
>> minimum_expiry_time 0
>
>
> I am not sure how many of these refresh_pattern rules below are written by
> you, copy-pasted from elsewhere, or added automatically by pfsense. So how
> you need to fix the problems here is uncertain.
>
> That said, please consider removing all these override-* and ignore-*.
> <http://www.squid-cache.org/Doc/config/refresh_pattern/>
>
>
>> refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod
>> override-expire ignore-reload ignore-no-store ignore-must-revalidate
>> ignore-private ignore-auth
>> #APPLE STUFF
>> refresh_pattern -i apple.com/
>> <http://apple.com/>..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80%
>> 43200 refresh-ims
>> #apple update
>> refresh_pattern -i (download|adcdownload).apple.com
>> <http://apple.com/>/.*.(pkg|dmg) 4320 100% 43200
>> refresh_pattern -i appldnld.apple.com <http://appldnld.apple.com/> 129600
>> 100% 129600
>> refresh_pattern -i phobos.apple.com <http://phobos.apple.com/> 129600 100%
>> 129600
>> refresh_pattern -i iosapps.itunes.apple.com
>> <http://iosapps.itunes.apple.com/> 129600 100% 129600
>> # Updates: Windows
>> refresh_pattern -i microsoft.com/
>> <http://microsoft.com/>..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80%
>> 43200 refresh-ims
>> refresh_pattern -i windowsupdate.com/
>> <http://windowsupdate.com/>..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$
>> 4320 80% 43200 refresh-ims
>> refresh_pattern -i windows.com/
>> <http://windows.com/>..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80%
>> 43200 refresh-ims
>> refresh_pattern -i microsoft.com
>> <http://microsoft.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
>> 80% 43200
>> refresh_pattern -i windowsupdate.com
>> <http://windowsupdate.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
>> 4320 80% 43200
>> refresh_pattern -i windows.com
>> <http://windows.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
>> 43200
>> refresh_pattern -i .*windowsupdate.com
>> <http://windowsupdate.com/>/.*.(cab|exe) 259200 100% 259200
>> refresh_pattern -i .*update.microsoft.com
>> <http://update.microsoft.com/>/.*.(cab|exe|dll|msi|psf) 259200 100% 259200
>> refresh_pattern windowsupdate.com
>> <http://windowsupdate.com/>/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern download.microsoft.com
>> <http://download.microsoft.com/>/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern www.microsoft.com
>> <http://www.microsoft.com/>/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern au.download.windowsupdate.com
>> <http://au.download.windowsupdate.com/>/.*.(cab|exe|dll|msi|psf) 4320 100%
>> 43200
>> refresh_pattern bg.v4.pr.dl.ws.microsoft.com
>> <http://pr.dl.ws.microsoft.com/>/.*.(cab|exe|dll|msi|psf) 4320 100% 43200
>> #windows update NEW UPDATE 0.04
>> refresh_pattern update.microsoft.com
>> <http://update.microsoft.com/>/.*.(cab|exe) 43200 100% 129600
>> refresh_pattern
>> ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf)
>> 4320 100% 43200
>> refresh_pattern update.microsoft.com
>> <http://update.microsoft.com/>/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern -i .update.microsoft.com
>> <http://update.microsoft.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
>> 525600 100% 525600
>> refresh_pattern -i .windowsupdate.com
>> <http://windowsupdate.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
>> 525600 100% 525600
>> refresh_pattern -i .download.microsoft.com
>> <http://download.microsoft.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
>> 525600 100% 525600
>> refresh_pattern -i .ws.microsoft.com
>> <http://ws.microsoft.com/>/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
>> 525600 100% 525600
>> refresh_pattern
>> ([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.*
>> 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store
>> override-expire override-lastmod
>> refresh_pattern ([^.]+.)?.akamai.steamstatic.com
>> <http://akamai.steamstatic.com/>/.*.* 43200 100% 43200 reload-into-ims
>> ignore-reload ignore-no-store override-expire override-lastmod
>> refresh_pattern -i ([^.]+.)?.adobe.com <http://adobe.com/>/.*.(zip|exe)
>> 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store
>> override-expire override-lastmod
>> refresh_pattern -i ([^.]+.)?.java.com <http://java.com/>/.*.(zip|exe) 43200
>> 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire
>> override-lastmod
>> refresh_pattern -i ([^.]+.)?.sun.com <http://sun.com/>/.*.(zip|exe) 43200
>> 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire
>> override-lastmod
>> refresh_pattern -i ([^.]+.)?.oracle.com
>> <http://oracle.com/>/.*.(zip|exe|tar.gz) 43200 100% 43200 reload-into-ims
>> ignore-reload ignore-no-store override-expire override-lastmod
>> refresh_pattern -i appldnld.apple.com <http://appldnld.apple.com/> 43200
>> 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod
>> refresh_pattern -i ([^.]+.)?apple.com <http://apple.com/>/.*.(ipa) 43200
>> 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod
>> refresh_pattern -i ([^.]+.)?.google.com <http://google.com/>/.*.(exe|crx)
>> 10080 80% 43200 override-expire override-lastmod ignore-no-cache
>> ignore-reload reload-into-ims ignore-private
>> refresh_pattern -i ([^.]+.)?g.static.com <http://g.static.com/>/.*.(exe|crx)
>> 10080 80% 43200 override-expire override-lastmod ignore-no-cache
>> ignore-reload reload-into-ims ignore-private
>> #FACEBOOK
>> refresh_pattern ^http?://*.facebook.com/* <http://facebook.com/*> 10080 80%
>> 43200 override-expire override-lastmod ignore-no-cache ignore-reload
>> reload-into-ims ignore-private
>> #FACEBOOK IMAGES
>> refresh_pattern -i pixel.facebook.com
>> <http://pixel.facebook.com/>..(jpg|png|gif|ico|css|js) 10080 80% 43200
>> override-expire override-lastmod ignore-no-cache ignore-reload
>> reload-into-ims ignore-private
>> refresh_pattern -i .akamaihd.net
>> <http://akamaihd.net/>..(jpg|png|gif|ico|css|js) 10080 80% 43200
>> override-expire override-lastmod ignore-no-cache ignore-reload
>> reload-into-ims ignore-private
>> refresh_pattern -i (facebook.com <http://facebook.com/>).(jpg|png|gif) 10080
>> 80% 43200 store-stale override-expire override-lastmod ignore-no-cache
>> ignore-reload reload-into-ims ignore-private
>> refresh_pattern static.(xx|ak).fbcdn.net <http://fbcdn.net/>.(jpg|gif|png)
>> 10080 80% 43200 override-expire override-lastmod ignore-no-cache
>> ignore-reload reload-into-ims ignore-private
>> refresh_pattern ^https?://profile.ak.fbcdn.net
>> <http://profile.ak.fbcdn.net/>*.(jpg|gif|png) 10080 80% 43200
>> override-expire override-lastmod ignore-no-cache ignore-reload
>> reload-into-ims ignore-private
>> #FACEBOOK VIDEO
>> refresh_pattern -i .video.ak.fbcdn.net
>> <http://video.ak.fbcdn.net/>.*.(mp4|flv|mp3|amf) 10080 80% 43200
>> override-expire override-lastmod ignore-no-cache ignore-reload
>> reload-into-ims ignore-private
>> refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200 override-expire
>> override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
>> range_offset_limit 512 MB windowsupdate
>> maximum_object_size 512 MB windowsupdate
>> range_offset_limit 0
>> quick_abort_min -1 KB
>> cache_mem 64 MB
>> maximum_object_size_in_memory 256 KB
>> memory_replacement_policy heap LFUDA
>> cache_replacement_policy heap LFUDA
>> minimum_object_size 0 KB
>> maximum_object_size 4 MB
>> cache_dir diskd /var/squid/cache 64000 256 256
>> offline_mode off
>> cache_swap_low 90
>> cache_swap_high 95
>> acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
>> cache deny donotcache
>> cache allow all
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> #Remote proxies
>> # Setup some default acls
>> # ACLs all, manager, localhost, and to_localhost are predefined.
>> acl allsrc src all
>> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128
>> 3129 1025-65535
>> acl sslports port 443 563 8080 5223 2197
>> acl purge method PURGE
>> acl connect method CONNECT
>> # Define protocols used for redirects
>> acl HTTP proto HTTP
>> acl HTTPS proto HTTPS
>> # SslBump Peek and Splice
>> # http://wiki.squid-cache.org/Features/SslPeekAndSplice
>> # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>> # Match against the current step during ssl_bump evaluation [fast]
>> # Never matches and should not be used outside the ssl_bump context.
>> #
>> # At each SslBump step, Squid evaluates ssl_bump directives to find
>> # the next bumping action (e.g., peek or splice). Valid SslBump step
>> # values and the corresponding ssl_bump evaluation moments are:
>> # SslBump1: After getting TCP-level and HTTP CONNECT info.
>> # SslBump2: After getting TLS Client Hello info.
>> # SslBump3: After getting TLS Server Hello info.
>> # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
>> # they can be used there for custom configuration.
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> acl banned_hosts src '/var/squid/acl/banned_hosts.acl'
>> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
>> acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
>> http_access allow manager localhost
>> # Allow external cache managers
>> acl ext_manager src 192.168.1.1
>> acl ext_manager src 127.0.0.1
>> http_access allow manager ext_manager
>> http_access deny manager
>> http_access allow purge localhost
>> http_access deny purge
>> http_access deny !safeports
>> http_access deny CONNECT !sslports
>> # Always allow localhost connections
>> http_access allow localhost
>> quick_abort_min 0 KB
>> quick_abort_max 0 KB
>> quick_abort_pct 95
>> request_body_max_size 0 KB
>> delay_pools 1
>> delay_class 1 2
>> delay_parameters 1 -1/-1 -1/-1
>> delay_initial_bucket_level 100
>> delay_access 1 allow allsrc
>> # Reverse Proxy settings
>> deny_info TCP_RESET allsrc
>> # Package Integration
>> url_rewrite_program /usr/local/bin/squidGuard -c
>> /usr/local/etc/squidGuard/squidGuard.conf
>> url_rewrite_bypass off
>> url_rewrite_children 32 startup=8 idle=4 concurrency=0
>
> Squidguard is very outdated. You should upgrade to its successor ufdbguard if
> possible.
>
>
>
>> # Custom options before auth
>> #host_verify_strict on
>> # These hosts are banned
>> http_access deny banned_hosts
>> # Always allow access to whitelist domains
>> http_access allow whitelist
>> # Block access to blacklist domains
>> http_access deny blacklist
>> # List of domains allowed to logging in to Google services
>> request_header_access X-GoogApps-Allowed-Domains deny all
>> request_header_add X-GoogApps-Allowed-Domains consumer_accounts
>> # Set YouTube safesearch restriction
>> acl youtubedst dstdomain -n www.youtube.com <http://www.youtube.com/>
>> m.youtube.com <http://m.youtube.com/> youtubei.googleapis.com
>> <http://youtubei.googleapis.com/> youtube.googleapis.com
>> <http://youtube.googleapis.com/> www.youtube-nocookie.com
>> <http://www.youtube-nocookie.com/>
>> request_header_access YouTube-Restrict deny all
>> request_header_add YouTube-Restrict none youtubedst
>> acl sglog url_regex -i sgr=ACCESSDENIED
>> http_access deny sglog
>> # Custom SSL/MITM options before auth
>> acl manager proto cache_object
>> acl localhost src 192.168.1.1/32
>> #cachemgr_passwd disable offline_toggle reconfigure shutdown
>> #cachemgr_passwd secret all
>> acl https_login url_regex -i ^https.*(login|Login).*
>> acl no_miss url_regex -i ^.*gateway.facebook.com/ws/realtime?
>> <http://gateway.facebook.com/ws/realtime?>
>> acl no_miss url_regex -i ^.*web-chat-e2ee.facebook.com/ws/chat
>> <http://web-chat-e2ee.facebook.com/ws/chat>
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> <http://www.update.microsoft.com/>
>> acl wuCONNECT dstdomain sls.microsoft.com <http://sls.microsoft.com/>
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow windowsupdate localnet
>> http_access allow windowsupdate localhost
>> http_access deny manager
>> acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'
>> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
>> sslproxy_cert_error deny all
>> acl splice_only src 192.168.1.8 #Tasha iPhone
>> acl splice_only src 192.168.1.10 #Jon iPhone
>> acl splice_only src 192.168.1.11 #Amazon Fire
>> acl splice_only src 192.168.1.15 #Tasha HP
>> acl splice_only src 192.168.1.16 #iPad
>> acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.nobump'
>> acl markBumped annotate_client bumped=true
>> acl bump_only src 192.168.1.3 #webtv
>> acl bump_only src 192.168.1.4 #toshiba
>> acl bump_only src 192.168.1.5 #imac
>> acl bump_only src 192.168.1.9 #macbook
>> acl bump_only src 192.168.1.13 #dell
>
> You have a previous "cache allow all". This below rule does nothing.
>
>> cache deny https_login
>> ssl_bump peek step1
>> miss_access deny no_miss
>> ssl_bump splice https_login
>> ssl_bump splice splice_only
>> ssl_bump splice NoSSLIntercept
>> ssl_bump bump bump_only markBumped
>> ssl_bump stare all
>> acl markedBumped note bumped true
>> url_rewrite_access deny markedBumped
>> http_access deny all
>> read_ahead_gap 32 KB
>> negative_ttl 1 second
>> connect_timeout 30 seconds
>> request_timeout 60 seconds
>> half_closed_clients off
>> shutdown_lifetime 10 seconds
>> negative_dns_ttl 1 seconds
>> ignore_unknown_nameservers on
>> pipeline_prefetch 100
>> #acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'
>> #ssl_bump bump SSLIntercept
>
> You already have an earlier "http_access deny all". The below lines do
> nothing.
>
>> # Setup allowed ACLs
>> # Allow local network(s) on interface(s)
>> http_access allow localnet
>> # Default block all to be sure
>> http_access deny allsrc
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
