Re: [squid-users] logging issues

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 11 May 2013 01:57:45 +1200

On 9/05/2013 12:27 a.m., Mr J Potter wrote:
> Works for me!
>
> A few notes for anyone who needs them below.

And some extra notes in case anyone tries to use them ;-)

> Thanks again everyone.
>
> Jim
> UK
>
> Issues/gotchas:
> It doesn't work behind parent proxies.
Well, it requires the parent proxy to be SSL-enabled as well.

> It works with NTLM and ident
> You need your own certificate authority on all clients.
>
> To build squid3.2 on debian 7:
> dependencies: install everything so you can build squid3.1 from source
> get squid 3.2 source and build with:
> ./configure \
> --prefix=/srv/squid32 \
> --sysconfdir=/srv/squid32/conf \
> --localstatedir=/srv/squid32/var \
> --enable-auth \
> --enable-auth-ntlm="SSPI,smb_lm" \
> --enable-ssl \
> --enable-ssl-crtd \
> --enable-icap-client

Or better grab the 3.3 source package from Sid/Unstable repositories.
Add the SSL options above to debian/rules and build. You will also need
to install the libssl-dev package for those new options to work.

The 3.3 sources will require some adjustments to the rest of these notes
as follows...

> Follow instructions on creating a CA from:
> http://www.mydlp.com/how-to-configure-squid-3-2-ssl-bumping-dynamic-ssl-certificate-generation/
>
> Here's my config
>
> cache_effective_user proxy
>
> #cache_peer caffreys.bristol-cyps.org.uk parent 3128 3130 default
> cache_peer courage.bristol-cyps.org.uk parent 3128 3130 default
> #no-delay
> #no-query no-digest no-netdb-exchange
> ## default
>
> #cache_peer_access caffreys.bristol-cyps.org.uk allow all
> cache_peer_access courage.bristol-cyps.org.uk allow all
>
> forwarded_for off
>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>
> #auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> #auth_param ntlm children 20 startup=0 idle=1
>
> #acl authdUsers proxy_auth REQUIRED
> acl authdUsers ident REQUIRED
>
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
> acl HTTPS proto HTTPS
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> ## HTTPS busting bit!!!
> ssl_bump allow all

You probably want to adjust this as you go to add exceptions as you find
sites which do not work with bumping or non-HTTPS traffic using CONNECT.

NOTE: with 3.3 sources you can use server-first instead of "allow" for a
more user-friendly bump.

> sslproxy_cert_error allow all

NOTE: using "allow all" with sslproxy_cert_error enables any hijacked
SSL site to deliver content to your users without validation getting in
the way and doing such things as warning them (or you) about the hijack.
This is a very *BAD* idea to be this broad even with the 3.2 configuration.

PS. The 3.3 releases server-first feature prevents it being necessary
almost all of the time, and has some built-in defaults for silencing the
"harmless" errors.

> # Or may be deny all according to your company policy
> # sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER

This is pretty much the same as "allow all" on cert errors. If you find
yourself needing this *at all*, then what you actually need to do is a)
update your ca-certificates package, that may involve adding the
"failing" servers CA manually to openssl library configuration. see
openssl documentation for more.

> sslcrtd_program /srv/squid32/libexec/ssl_crtd -s
> /srv/squid32/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow authdUsers
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access allow all

NOTE: read the above comment.

> always_direct allow HTTPS

NOTE: the above line disables using the cache_peer for any traffic.
Squid-3.2 to 3.4 (at least) do not support wrapping peer requests in
CONNECT so it s a good idea generally, but if you do trust the peer
proxy AND the pathway between proxies is secured AND the peer is
SSL-enabled it is reasonable to let the bumped requests through to it.

> never_direct allow all
>
> #emulate_httpd_log on
> strip_query_terms off
> #log_fqdn on
>
> logformat squid %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

Please dont re-define the builtin logformat "squid". Use the one
provided or a different name.

PS. the documented format for "squid" is just an approximation using the
codes available. The real native squid format has slightly different
handling of some fields than the custom codes use.

> dns_nameservers 10.15.244.8 10.15.244.13
>
> # Squid normally listens to port 3128
> #http_port 3128
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB key=/srv/squid32/ssl/private.pem
> cert=/srv/squid32/ssl/public.pem
> icp_port 3130
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /srv/squid32/var/cache/squid 3000 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /srv/squid32/var/cache/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>

And the below lines do nothing at all because of "http_access allow all"
up above. It would be a good idea to move them back up above the CONNECT
rule so these security checks have a chance of working as intended.

> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports

Amos
Received on Fri May 10 2013 - 13:57:56 MDT

This archive was generated by hypermail 2.2.0 : Fri May 10 2013 - 12:00:04 MDT