squid com https

121 views
Skip to first unread message

Alisson Ceolin

unread,
May 31, 2012, 10:56:38 AM5/31/12
to slack-u...@googlegroups.com
ola pessoal

estou fazendo testes com bloqueios https no squid. confesso que estou achando documentação muito confusa.. e também muita polêmica.
meu maior problema é o facebook hj..  tenho regras de bloqueios http (grupos ldap) e gostaria de poder filtrar tb os https.

alguém utiliza squid com bloqueios https? poderia me passar alguma instrução?

eu ja compilei o squid com --enable-ssl
e adicionei este conteúdo ao squid.conf

https_port 3126 protocol=http cert=/etc/squid/ssl2/server_cert.pem key=/etc/squid/ssl2/server_key.pem
.
.
acl SSL method CONNECT
never_direct allow SSL
.


log de inicializacao do squid,, e tentativa de acesso a um site https

2012/05/31 10:54:04| Starting Squid Cache version 2.7.STABLE9 for i386-debian-linux-gnu...
2012/05/31 10:54:04| Process ID 3337
2012/05/31 10:54:04| With 32768 file descriptors available
2012/05/31 10:54:04| Using epoll for the IO loop
2012/05/31 10:54:04| Performing DNS Tests...
2012/05/31 10:54:04| Successful DNS name lookup tests...
2012/05/31 10:54:04| DNS Socket created at 0.0.0.0, port 60995, FD 6
2012/05/31 10:54:04| Adding nameserver 127.0.0.1 from squid.conf
2012/05/31 10:54:04| Adding nameserver 10.12.0.2 from squid.conf
2012/05/31 10:54:04| Adding nameserver 10.12.0.22 from squid.conf
2012/05/31 10:54:04| helperOpenServers: Starting 10 'ldap_auth' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| helperOpenServers: Starting 5 'squid_ldap_group' processes
2012/05/31 10:54:04| User-Agent logging is disabled.
2012/05/31 10:54:04| Referer logging is disabled.
2012/05/31 10:54:04| logfileOpen: opening log /var/log/squid/ppol-test-access.log
2012/05/31 10:54:04| Unlinkd pipe opened on FD 71
2012/05/31 10:54:04| Swap maxSize 2048000 + 512000 KB, estimated 196923 objects
2012/05/31 10:54:04| Target number of buckets: 9846
2012/05/31 10:54:04| Using 16384 Store buckets
2012/05/31 10:54:04| Max Mem  size: 512000 KB
2012/05/31 10:54:04| Max Swap size: 2048000 KB
2012/05/31 10:54:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/05/31 10:54:04| Store logging disabled
2012/05/31 10:54:04| Rebuilding storage in /var/spool/squid/ppol-test (DIRTY)
2012/05/31 10:54:04| Using Least Load store dir selection
2012/05/31 10:54:04| Set Current Directory to /var/cache/squid
2012/05/31 10:54:04| Loaded Icons.
2012/05/31 10:54:04| Accepting proxy HTTP connections at 0.0.0.0, port 3125, FD 73.
2012/05/31 10:54:04| Accepting HTTPS connections at 0.0.0.0, port 3126, FD 74.
2012/05/31 10:54:04| Accepting ICP messages at 0.0.0.0, port 3130, FD 75.
2012/05/31 10:54:04| HTCP Disabled.
2012/05/31 10:54:04| WCCP Disabled.
2012/05/31 10:54:04| Ready to serve requests.
2012/05/31 10:54:04| Done reading /var/spool/squid/ppol-test swaplog (40 entries)
2012/05/31 10:54:04| Finished rebuilding storage from disk.
2012/05/31 10:54:04|        40 Entries scanned
2012/05/31 10:54:04|         0 Invalid entries.
2012/05/31 10:54:04|         0 With invalid flags.
2012/05/31 10:54:04|        40 Objects loaded.
2012/05/31 10:54:04|         0 Objects expired.
2012/05/31 10:54:04|         0 Objects cancelled.
2012/05/31 10:54:04|         0 Duplicate URLs purged.
2012/05/31 10:54:04|         0 Swapfile clashes avoided.
2012/05/31 10:54:04|   Took 0.3 seconds ( 154.6 objects/sec).
2012/05/31 10:54:04| Beginning Validation Procedure
2012/05/31 10:54:04|   Completed Validation Procedure
2012/05/31 10:54:04|   Validated 40 Entries
2012/05/31 10:54:04|   store_swap_size = 796k
2012/05/31 10:54:05| storeLateRelease: released 0 objects
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found
2012/05/31 10:54:35| aclMatchAclList: returning 1
2012/05/31 10:54:35| clientNegotiateSSL: Error negotiating SSL connection on FD 72: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)
2012/05/31 10:54:35| aclCheckFast: list: 0xb8875760
2012/05/31 10:54:35| aclMatchAclList: checking all
2012/05/31 10:54:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2012/05/31 10:54:35| aclMatchIp: '10.12.60.60' found



o certificado foi auto gerado (   openssl req -new -x509 -nodes -keyout server_key.pem -out server_cert.pem  )
nao possuo unidade certificadora oficial..    não sei se seria este o motivo do erro, ou  outra coisa.  teria algum modo de me auxiliar, obrigado.


alguém tem um cenário similar?

 
Alisson Ceolin


Renato Alves - Gmail

unread,
May 31, 2012, 12:19:14 PM5/31/12
to slack-u...@googlegroups.com
Eu utilizo o squid no endian firewall. Bloqueava o HTTP do facebook sem problemas, mas HTTPS só depois que eu converti o squid de transparente para autenticado. Foi na hora! O seu é transparente?
--
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
 
Antes de perguntar:
http://www.istf.com.br/perguntas/
 
Para sair da lista envie um e-mail para:
slack-users-b...@googlegroups.com

Alisson Ceolin

unread,
May 31, 2012, 1:08:47 PM5/31/12
to slack-u...@googlegroups.com
 é autenticado tb.   os browsers apontam para o squid.

vc ainda tem o arquivo de configuração?  poderia repassar?

obrigado!


 
Alisson Ceolin


De: Renato Alves - Gmail <ratom...@gmail.com>
Para: slack-u...@googlegroups.com
Enviadas: Quinta-feira, 31 de Maio de 2012 13:19
Assunto: Re: [slack-users] squid com https

Renato Alves - Gmail

unread,
May 31, 2012, 2:30:09 PM5/31/12
to slack-u...@googlegroups.com
O squid.conf do Endian é customizado, e bem reduzido com relação ao squid que você instala e configura por linha de comando. Se voce quiser eu te envio sim, mas existe uma chance gigantesca do seu squid ir pro beleleu ou perder um monte de funcionalidade se você usar o meu arquivo.
Reply all
Reply to author
Forward
0 new messages