On 2025-02-05 05:54, udhayakumar wrote:
if i put whitelist_regex in below config which domains i was try
browse in browser it's says*SSL_ERROR_RX_RECORD_TOO_LONG*
IIRC, that usually happens when Squid responds with a plain text error
page while the browser expects TLS. You may be able to confirm that by
looking at the problematic browser-Squid transactions using wireshark or
a similar packet analysis tool.
ssl_bump peek step1
ssl_bump splice sslwhitelist
ssl_bump splice allowed_sites
> ssl_bump bump all
Do you have http_access rules that allow TLS connections to sites
matching sslwhitelist and allowed_sites ACLs? I do not see them. Please
keep in mind that http_access controls access (for requests on all
connections) while ssl_bump controls whether/when TLS connections are
decrypted. Both sets of rules are important. For example, if http_access
denies a request, then Squid will not splice the corresponding
client-to-Squid and Squid-to-server connections.
Please also note that your second set of ssl_bump rules (not shown
above) will never be reached because one of the ssl_bump rules shown
above will always match, ending ssl_bump rule evaliation.
HTH,
Alex.
http_port 3128
http_port 3129 tproxy
https_port 3127 tproxy ssl-bump cert=/etc/squid_av/ssl_cert/squidCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:RC4:!aNULL:!eNULL:!LOW:3DES:!MD5:!EXP:!PSK:!SRP:!DSS
options=ALL:NO_SSLv3
#don't verifying peer & allow accept with validate and error
#tls_outgoing_options flags=DONT_VERIFY_PEER
tls_outgoing_options flags=DONT_VERIFY_DOMAIN
tls_outgoing_options
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
icp_port 0
digest_generation off
error_default_language en
#logformat icap_squid %tl %>a %>p %<A %la %lp %<la %<lp %tr %dt
#icap_log /var/log/squid/access.log
#logformat customlog (%tl) source_ip=%>a src_port=%>p user=%ui [%tl] "%rm %ru HTTP/%rv"
status=%>Hs size=%<st user_agent="%{User-Agent}>h"
cache_log /var/log/squid/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable off
log_icp_queries off
logfile_rotate 1
# squid worker config optmize based on processor
workers 16
cpu_affinity_map process_numbers=1,2, cores=1,3
# certificate mimic
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db
-M 16MB -b 2048
logfile_rotate 2
debug_options rotate=2
#proxy options
hosts_file /etc/hosts
fqdncache_size 6000
visible_hostname fatpipe_proxy
collapsed_forwarding on
forwarded_for transparent
via on
httpd_suppress_version_string on
uri_whitespace strip
shutdown_lifetime 3 seconds
url_rewrite_host_header on
#loggiing strop
strip_query_terms on
#cache option Amount RAM half
cache_mem 8096 MB
memory_cache_mode always
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
#cache allocation disk store block by block it's helps disk i/o
cache_dir rock /var/spool/rockfs/squid_cache 20000 max-size=32768
max-swap-rate=250 swap-timeout=200
max_stale 1 week
on_unsupported_protocol tunnel
offline_mode off
#cache low and high mark
cache_swap_low 90
cache_swap_high 96
cache allow all
#pipelining for HTTP pipelining
pipeline_prefetch 6
acl SSL_ports port 443 #https
acl SSL_ports port 563 #https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl purge method PURGE
acl CONNECT method CONNECT
#new tweak
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl allsrc src all
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl windowsupdate dstdomain windowsupdate.microsoft.com
cl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomainwww.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomainwww.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
#skip lan subnet
#acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
#sslproxy_cert_error allow localnet DomainMismatch
#sslproxy_cert_error deny all
# Define a list of websites to skip the proxy
#acl sslwhitelist ssl::server_name_regex -i "/etc/squid_av/whitelist_regex.acl"
#acl allowed_sites ssl::server_name "/etc/squid_av/whitelist.acl"
#acl local-external dstdomain .google.com .icicibank.com
#always_direct allow local-external
#acl allowed_sites ssl::server_name .foo.com .hdfcbank.com
.copilot.microsoft.com
#sslproxy_cert_error allow allowed_sites
host_verify_strict off
ssl_bump peek step1
#ssl_bump splice sslwhitelist
#ssl_bump splice allowed_sites
ssl_bump bump all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
#request header config
quick_abort_min 0 KB
quick_abort_max 0 KB
request_body_max_size 0 KB
#delay_pools config
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
# Throttle extensions matched in the url
#acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
#delay_access 1 allow throttle_exts
#delay_access 1 deny allsrc
# Set YouTube safesearch restriction
#acl youtubedst dstdomain -nwww.youtube.com m.youtube.com
youtubei.googleapis.com youtube.googleapis.comwww.youtube-nocookie.com
#request_header_access YouTube-Restrict deny all
#request_header_add YouTube-Restrict moderate youtubedst
ssl_bump peek step1
ssl_bump bump all
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav
bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_resp allow all
#debug_options ALL,1
sslproxy_cert_error allow all
negative_ttl 0 seconds
negative_dns_ttl 1 second
# Leave coredumps in the first cache dir
coredump_dir /var/log/dump/squid
/udhayakumar.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
