Handshake no squid

Edvan Ferreira
(usa Ubuntu)

Enviado em 11/10/2018 - 11:38h

Bom dia pessoal,

Conforme mostra o link abaixo:

https://uploaddeimagens.com.br/imagens/conexao2-png-cdb38c01-3b59-474f-9239-25704efb757d

Estou com problema em acessar determinados sites em HTTPS.
Usamos certificado em todos os navegadores para bloqueio em HTTPS, porém alguns sites apresentam isso:

Tem que aumentar o número de opções do handshake pro ssl?

Como fica a configuração no squid para adicionar o handshake?

Squid Cache: Version 3.5.20
CentOS release 6.10 (Final)

Edvan Ferreira
(usa Ubuntu)

Enviado em 14/10/2018 - 21:22h

Alguém tem alguma dica ?

Edvan Ferreira
(usa Ubuntu)

Enviado em 29/10/2018 - 16:46h

alguém?

WBaluz
(usa Arch Linux)

Enviado em 30/10/2018 - 00:02h

Opa brother tudo blz? Dá uma lida nesse tópico aqui http://squid-web-proxy-cache.1019090.n4.nabble.com/3-5-25-71-Protocol-error-TLS-code-SQUID-ERR-SSL-H... .. o erro so acontece em um site específco ou em outros sites?

Edvan Ferreira
(usa Ubuntu)

Enviado em 31/10/2018 - 12:19h

Alguns sites específicos, não todos!..

exemplo:
https://www.balaodainformatica.com.br/


Já olhei todo esse link abaixo:
http://squid-web-proxy-cache.1019090.n4.nabble.com/3-5-25-71-Protocol-error-TLS-code-SQUID-ERR-SSL-H...

vejo que é um problema geral, não tão fácil de resolver.. Bloqueios de HTTPS usando certificado nos navegadores dar dores de cabeça.

WBaluz
(usa Arch Linux)

Enviado em 01/11/2018 - 19:37h

cara realmente as vezes da uns probleminhas chatos mesmo.. eu prefiro setar o proxy no navegador.. o controle fica mais tranquilo.. se oo usuário tirar o proxy nao navega... mas vamos tentar ver isso ai.. o que é reportado nos log do squid? eles podem nos ajudar a resolver isso.. da uma olhada la em cache.log e access.log pra gente tentar ver...

Edvan Ferreira
(usa Ubuntu)

Enviado em 05/11/2018 - 15:07h

Desculpe não ter postado antes, estava esperando ter acesso ao meu servidor:

Olha o log ao tentar acessar a pagina do UOL:

tms | grep 10.4.65.31
1541436731.916 108 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436731.916 108 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436731.956 5 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/ - HIER_NONE/- text/html
1541436732.060 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436732.213 107 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436732.243 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436732.288 111 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436732.336 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/favicon.ico - HIER_NONE/- text/html
1541436752.066 173 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.179:443 - ORIGINAL_DST/54.192.57.179 -
1541436752.192 17 10.4.65.31 TCP_MISS/200 491 GET http://detectportal.firefox.com/success.txt - ORIGINAL_DST/200.143.247.74 text/plain
1541436765.292 126 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436765.457 114 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436765.563 0 10.4.65.31 TAG_NONE/503 4343 GET https://54.192.57.137/* - HIER_NONE/- text/html
1541436765.683 105 10.4.65.31 TCP_MISS/200 372 POST https://elb-nvi-amz.nimbus.bitdefender.net/url/status - ORIGINAL_DST/52.202.69.12 application/json
1541436765.789 103 10.4.65.31 TCP_MISS/200 372 POST https://elb-nvi-amz.nimbus.bitdefender.net/url/status - ORIGINAL_DST/52.202.69.12 application/json
1541436765.984 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436766.126 102 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436766.160 0 10.4.65.31 TAG_NONE/503 4343 GET https://54.192.57.137/favicon.ico - HIER_NONE/- text/html
1541436768.492 555 10.4.65.31 TAG_NONE/200 0 CONNECT 35.161.44.2:443 - ORIGINAL_DST/35.161.44.2 -
1541436768.739 185 10.4.65.31 TCP_MISS/000 0 GET https://push.services.mozilla.com/ - ORIGINAL_DST/35.161.44.2 -
1541436774.395 101 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436774.482 101 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436775.540 148 10.4.65.31 TCP_REFRESH_UNMODIFIED/200 1843 GET http://update.cloud.2d585.cdn.bitdefender.net/redline_eps_32/versions.id - ORIGINAL_DST/72.21.81.253 text/plain
1541436775.543 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/ - HIER_NONE/- text/html
1541436775.547 0 10.4.65.31 TCP_MEM_HIT/200 571 GET http://update.cloud.2d585.cdn.bitdefender.net/redline_eps_32_2/versions.dat - HIER_NONE/- text/plain
1541436775.679 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/favicon.ico - HIER_NONE/- text/html
1541436775.818 101 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436775.854 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436776.670 123 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436776.688 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/service-worker.js? - HIER_NONE/- text/html
1541436797.984 102 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436797.988 106 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436798.019 115 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436798.043 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/ - HIER_NONE/- text/html
1541436798.199 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436798.236 1 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/favicon.ico - HIER_NONE/- text/html
1541436799.013 103 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436799.097 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/service-worker.js? - HIER_NONE/- text/html
1541436799.171 107 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436799.171 106 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436799.206 122 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436799.260 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/ - HIER_NONE/- text/html
1541436799.476 0 10.4.65.31 TAG_NONE/503 4343 GET http://10.4.65.1:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1541436799.496 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/favicon.ico - HIER_NONE/- text/html
1541436800.177 101 10.4.65.31 TAG_NONE/200 0 CONNECT 54.192.57.137:443 - ORIGINAL_DST/54.192.57.137 -
1541436800.202 0 10.4.65.31 TAG_NONE/503 4343 GET https://www.uol.com.br/service-worker.js? - HIER_NONE/- text/html

LOG do CACHE.LOG

2018/11/05 14:53:58 kid1| Error negotiating SSL on FD 75: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 14:54:00 kid1| Error negotiating SSL on FD 196: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 14:54:00 kid1| Error negotiating SSL on FD 217: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 14:54:00 kid1| Error negotiating SSL on FD 311: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)

2018/11/05 15:03:40 kid1| Error negotiating SSL on FD 77: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:03:43 kid1| Error negotiating SSL on FD 100: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:03:44 kid1| Error negotiating SSL on FD 88: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:03:44 kid1| Error negotiating SSL on FD 88: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:03:46 kid1| Error negotiating SSL on FD 134: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:00 kid1| Error negotiating SSL on FD 185: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:08 kid1| Error negotiating SSL connection on FD 257: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:09 kid1| Error negotiating SSL connection on FD 257: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:35 kid1| Error negotiating SSL on FD 43: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:36 kid1| Error negotiating SSL on FD 92: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:36 kid1| Error negotiating SSL on FD 92: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:37 kid1| Error negotiating SSL on FD 149: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:37 kid1| Error negotiating SSL on FD 155: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:37 kid1| Error negotiating SSL on FD 153: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:38 kid1| Error negotiating SSL on FD 208: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 218: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 227: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 229: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 235: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 236: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:39 kid1| Error negotiating SSL on FD 237: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:40 kid1| Error negotiating SSL on FD 241: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:40 kid1| Error negotiating SSL on FD 237: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:40 kid1| Error negotiating SSL on FD 245: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:43 kid1| Error negotiating SSL on FD 251: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:43 kid1| Error negotiating SSL on FD 251: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:43 kid1| Error negotiating SSL on FD 254: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:49 kid1| Error negotiating SSL connection on FD 84: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:49 kid1| Error negotiating SSL connection on FD 84: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:54 kid1| Error negotiating SSL on FD 312: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)


2018/11/05 15:04:49 kid1| Error negotiating SSL connection on FD 84: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:49 kid1| Error negotiating SSL connection on FD 84: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher (1/-1)
2018/11/05 15:04:54 kid1| Error negotiating SSL on FD 312: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2018/11/05 15:04:54 kid1| Error negotiating SSL on FD 312: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)

WBaluz
(usa Arch Linux)

Enviado em 05/11/2018 - 19:14h

opa irmão tudo bem.. então uma rapida pesquisada achei isso aqui....

"Looks like that site doesn't accept SSLv3, so squid can't complete the SSL handshake."

pelos log dos erros podemos ver que o site não tem suporte para para o sslv3, então o squid não completa o handshake...

uma "solução" seria usar a seguinte opção..
sslproxy_version 3

entretando poderia ocasionar problemas de segurança, pois sites que suportem a TSL1 para cima vão ser obrigados a usar a SSLv3..

tenta usar essas opções aqui....
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1

de acordo com os seguinte link: https://serverfault.com/questions/604824/squid-ssl-bump-sslv3-enforce-to-allow-old-sites

ele consegue contornar esse problema..
testa e passa o feedback.. vlw

Edvan Ferreira
(usa Ubuntu)

Enviado em 06/11/2018 - 11:26h

Temos essa configuração na parte inicial do squid.conf:


## Regras http sem transparente
#http_port 10.4.65.111:3128 intercept
http_port 10.4.65.1:3128

## Regras https com transparente
http_port 10.4.65.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/squidMyCA.pem
https_port 10.4.65.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/squidMyCA.pem

## Regras ssl versao
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4 MB
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs/
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_children 32 startup=5 idle=1

## Regras SquidGuard
##redirect_program /usr/bin/squidGuard
##redirect_children 8
##redirector_bypass on
#/usr/share/squid/errors
##url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

coredump_dir /var/spool/squid
cache_mgr edvan@funpec.br
visible_hostname 10.4.65.1
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 40096 KB
#debug_options ALL,1 33,2
#dns_nameservers 10.4.65.111
#dns_testnames 10.4.65.111
#dns_v4_first on
#cache_replacement_policy heap LFUDA
#memory_replacement_policy heap GDSF
#ipcache_size 1024
#shutdown_lifetime 5 seconds
cache_dir aufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
coredump_dir /var/spool/squid
cache_effective_user squid
cache_effective_group squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#auth_param basic children 5
#auth_param basic realm spe0px00 Proxy
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

#auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=sangiovanne,dc=com,dc=br" -D "cn=squid,cn=users,dc=sangiovanne,dc=com,dc=br" -f "sAMAcco$

#external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=s,dc=com,dc=br" -D "cn=squid,cn=users,dc=s,dc=com,dc=br" -w "senha" -f "(&(ob$

acl localnet src 10.4.65.0/24
#acl localhost src 127.0.0.1/32 ::1

WBaluz
(usa Arch Linux)

Enviado em 06/11/2018 - 11:41h

opa irmão tudo blz? então.. vc teria q alterar essas linhas

## Regras https com transparente
http_port 10.4.65.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/squidMyCA.pem
https_port 10.4.65.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/squidMyCA.pem

para algo parecido com essas q eu coloquei.. claro q respeitando suas confs de redes..

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1

acredito q a parte q resolve o seu problemas seja essa...
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
vc estaria dizendo pro squid os tipos de cipher que ele deve aceitar, pode ser q isso resolva o seu problemas... para isso vc precisaria adequar a suas confs.. seria algo assim..

https_port 10.4.65.1:3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/ssl/certs/squidMyCA.pem key=/etc/squid/ssl/squid.key (caminho da key do squid) cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH..
não tenho como eu te precisar se vai dar certo, pois não tenho como testar aqui...estou sem um ambiente de teste do squid compilado com suporte ao https.. nesse caso teria q ser no teste e erro mesmo...

Edvan Ferreira
(usa Ubuntu)

Enviado em 09/11/2018 - 18:06h

Amigo meu fez o teste também no servidor dele e nao funcionou, usa a mesma configuração que a minha.


#http_port 192.168.0.254:3128 intercept
http_port 192.168.0.254:3128

## Regras ssl versao
http_port 192.168.0.254:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

https_port 192.168.0.254:3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_version 3
sslproxy_options ALL
ssl_bump server-first all
sslcrtd_children 50 startup=5 idle=1
client_persistent_connections on
server_persistent_connections on
strip_query_terms off
always_direct allow all
forwarded_for transparent
via off
vary_ignore_expire on
httpd_suppress_version_string on
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER
#sslproxy_capath /etc/ssl/certs/