CentOS 7 + Squid Http https [RESOLVIDO]

1. CentOS 7 + Squid Http https [RESOLVIDO]

RADER
(usa Ubuntu)

Enviado em 11/11/2017 - 13:00h

Olá pessoal, montei um firewall que também é o gateway da rede, esta tudo configurado, maquinas clientes navegam sem problemas. não setei ainda as regras de bloqueio pois estou com problemas no squid. Estou com uma config basica, porém fui configurar um certificado ssl para proxy transparente. (squid 3.5) quando o Squid esta ativo esta bloqueando somente os protocolos Https o resto esta deixando passar, quando configuro no navegador cliente o proxy, ele bloqueia tudo, mas o https fica como se não tivesse conexão. Eu criei o certificado, porém não subiu. E o que eu quero é não precisar configurar o squid no navegador do cliente.

se eu desativo o squid , tudo funciona bem, quando ativo ai da algum errinhos.

>>>>>>>>erro sem configurar o proxy no navegador cliente : Error code:SSL_error_rx_record_too_long

Squid.conf

# Recommended minimum configuration:
#
#error_directory /usr/share/squid/errors/Portuguese

cache_log /var/log/squid/access.log

access_log /var/log/squid/access.log squid

#http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
#sslcrtd_program /lib/squid/ssl_crtd -s /etc/squid/ssl_db -M 4MB
#sslcrtd_children 5
#cache_dir ufs /var/spool/squid 100 16 256

#https_port 3130 transparent cert=/root/.ssh/server.crt key=/root/.ssh/server.Key

#Minha Rede
acl redelocal src 192.168.2.0/24
acl all src 192.168.2.0/255.255.255.255
acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl SSL_ports port 1863 # GAIM MSN
acl SSL_ports port 25533 # RADIO UOL
acl SSL_ports port 5190 # GAIM ICQ
acl Safe_ports port 80 # http
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 3456 # ReceitaNET
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 1863 # GAIM MSN
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#https_port 3130 intercept cert=/etc/squid/openssl.crt key=/etc/squid/openssl.key

#Bloqueio de downloads por extensão
acl download url_regex -i .com$ .pif$ .exe$ .avi$ .mp3$ .mpeg$ .mpg$ .rm$ .wma$ .wmv$ .asx$ .cab$ .src$

acl bloqueado ssl::server_name .youtube.com

acl rede src 192.168.2.0/24

http_access allow rede

acl bloqueiofull url_regex "etc/squid/bloqueiofull.txt"
http_access deny bloqueiofull

acl sitesbons dstdom_regex "etc/squid/sitesbons.txt"
http_access allow sitesbons

acl permitidos dstdom_regex "etc/squid/permitidos.txt"
http_access allow permitidos

acl formato_arquivo dstdom_regex "etc/squid/formato_arquivo.txt"
http_access deny formato_arquivo

acl liberados url_regex "etc/squid/liberados.txt"
http_access deny liberados

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918i possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
109,1 71%

# Squid normally listens to port 3128
http_port 3128 intercept
visible_hostname spark
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /var/spool/squid 5000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
cache_mem 500 MB
maximum_object_size 128 KB

0 0

Quote

2. errro no http_port

VictorServerTI
(usa CentOS)

Enviado em 11/11/2017 - 15:07h

Amigo acredito que voce esteja utilizando o http_port de forma incorreta

vc tem que entender os conceitos

para o protocolo http basta vc utilizar o



http_port 3130 -> para ser configurado manualmente nos aplicativos



http_port 3128 intercept -> transparente

já para o protocolo https é mais complicado

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

0 0

Quote