tested with removal of IP and port failed If I leave port I get this 2024/07/12 09:15:17| Processing: http_port :3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 2024/07/12 09:15:17| FATAL: http_port: failed to resolve Host/IP: 2024/07/12 09:15:17| Not currently OK to rewrite swap log. 2024/07/12 09:15:17| storeDirWriteCleanLogs: Operation aborted. 2024/07/12 09:15:17| FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: http_port :3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 2024/07/12 09:15:17| Squid Cache (Version 5.8): Terminated abnormally.
> On Jul 12, 2024, at 09:09, Jonathan Lee <[email protected]> wrote: > > Thanks I fixed the firewall rules, I am trying tproxy and it seems to help > with speed right now. > Sent from my iPhone > >> On Jul 12, 2024, at 04:57, Amos Jeffries <[email protected]> wrote: >> >> On 12/07/24 11:50, Jonathan Lee wrote: >>>> I recommend changing your main port to this: >>>> >>>> http_port 3128 ssl-bump .... >>> This is set to this when it processes >>> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem >>> cafile=/usr/local/share/certs/ca-root-nss.crt >>> capath=/usr/local/share/certs/ >>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS >>> tls-dh=prime256v1:/etc/dh-parameters.2048 >>> options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE >> >> The key thing here was the removal of the IP address. So that Squid received >> both the 192.168.*.* and the 127.0.0.* traffic without needing separate >> http_port lines. >> >> >> >>>> and receiving the intercepted traffic on: >>>> >>>> http_port 3129 intercept ssl-bump … >>> Do you mean https? >> >> Sorry. I missed that you had an https_port using 3129 already. >> >> >> >>> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem >>> cafile=/usr/local/share/certs/ca-root-nss.crt >>> capath=/usr/local/share/certs/ >>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS >>> tls-dh=prime256v1:/etc/dh-parameters.2048 >>> options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE >>> Https uses that port 3129 >>> What should I adapt >>> http_port >>> https_port? >> >> Both. >> >> FYI, there are two issues: >> >> 1) listening on IP 127.0.0.1. Inside the OS there are different devices for >> localhost (lo) and WAN (eg. eth0). NAT is problematic already without >> introducing any tricky behaviours from bridging those "private" (lo) and >> "public" WAN devices. >> >> The simplest solution is just not to put any IP address on the squid.conf >> *port line(s) with intercept options. The OS will select one appropriate for >> whatever device and tell Squid on a per-connection basis. >> >> The more difficult way is to put one of the machines "global" (WAN or LAN) >> IP addresses. In your case 192.168.1.1. With most connections being from the >> LAN that minimizes the possible problems. >> >> >> 2) listening on a well-known proxy port 3128 for intercepted traffic. >> >> There is malware in existence that scans for at least port 3128 (likely >> 1080, 8080 etc common proxy ports) being used by proxies like yours and >> abuses them. As a result at least one popular antivirus network scanner >> (from Trend) does the same scan to detect insecure proxies. >> >> The worst thing about this situation is that the NAT very effectively hides >> the malware. So it is extremely hard to see whether it is happening to you. >> >> >> I am not sure what UI you are using to show those firewall rules in your >> other email. However the one that had ALLOW for the port range 3128-3129 >> worries me. AFAIK that should only be for 3128 and a separate rule somewhere >> else to drop the intercepted port 3129 traffic pre-NAT. >> >> >> HTH >> Amos >> _______________________________________________ >> squid-users mailing list >> [email protected] >> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
