[squid-users] Re: SSL Sites bypass interception

From: Jambaz <gibbybia_at_hotmail.com>
Date: Sat, 2 Jun 2012 08:02:49 -0700 (PDT)

Hi my friends , and thanks for your helps
I have followed your suggest...but when i try to start squid it give me an
error like:

FATAL: Bungled squid.conf line 48: http_port 3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
Squid Cache (Version 3.1.19): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 13488 KB
Page faults with physical i/o: 0

From the guid that you have me posted , i have don't very well understand ,
when it tell me to prepare directory for caching certificates:

    /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db

i have to create first this directory or i have to use the directory in the
squid.conf ?

i also don't found where i have to use this command ./configure
--enable-ssl --enable-ssl-crtd , sorry for this question

here is my squid.conf

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl lan src
auth_param ntlm children 30
auth_param ntlm keep_alive on
acl SSL_ports port 443 # https
acl Safe_ports port 25 # smtp
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 111 # ftp 2
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 3306 # MySql
acl Safe_ports port 9100 # Stampante
#acl broken_sites dstdomain .facebook.com
acl purge method PURGE
#acl bad_url dstdomain "/etc/squid3/bad-sites.squid"
#acl blockfiles urlpath_regex "/etc/squid3/blockfiles.squid"
#ssl_bump deny broken_sites
#ssl_bump allow all
http_access allow lan
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access deny bad_url
# http_access deny blockfiles
# http_access deny reqmsn
# http_reply_access deny repmsn
http_access allow localhost
http_access deny all
http_port 3128 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
#http_port 3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
ssl_bump allow all
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 32
icp_access allow lan
icp_access deny all
ie_refresh on
visible_hostname localhost
hosts_file /etc/hosts
# dns_nameservers
coredump_dir /var/spool/squid3
maximum_object_size 16 MB
cache_mem 32 MB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid 15000 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
store_avg_object_size 50 KB
url_rewrite_children 30
redirect_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
redirect_children 30

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Sites-bypass-interception-tp4655164p4655244.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sat Jun 02 2012 - 15:02:53 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 02 2012 - 12:00:02 MDT