[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] HTTPS woes
From: Olly Lennox <oliver () lennox-it ! uk>
Date: 2017-04-20 13:39:10
Message-ID: 1853580132.454651.1492695550555 () mail ! yahoo ! com
[Download RAW message or body]
After two and a bit weeks on this I finally have the Raspberry Pi working as a \
transparent proxy server utilising Diladele to provide web filtering. I'm going to \
trial it all for the next few weeks to ensure that it's stable but so far the results \
have been positive and its working with HTTP and HTTPS across Windows, IOS and \
Android devices.
I wanted to say a big thank you to everyone who has responded to my many messages.I'm \
sure there will be more to come but I wouldn't have got this far without your help so \
thank you very much.
FYI the following steps have been necessary:
HTTPS Squid on Raspberry Pi 3:
1. The stretch repositories are required to build squid 3.5 and should be enabled
2. after running apt-get update you should downgrade to openssl v1.0 (from v1.1) to \
avoid build failures 3. You must disable ecap functionality to avoid build failures, \
I couldn't get squid 3.5.23 to build with ecap regardless of the version of libecap I \
used. 4. download the 3.5.23 source from stretch and follow a guide online to \
configure, make, and install the packages with ssl and ssl_crtd enabled (careful with \
the flags if you're following a guide for an older version of squid as the syntax \
changed) 5. follow a guide online to install / configure squid 3.5 - specifically \
creating the cache folders and setting up ssl_crtd and the ssl cache 6. download the \
mozilla ca certs bundle (https://curl.haxx.se/ca/cacert.pem or google) which are \
required for HTTPS to work 7. ensure sslproxy_session_cache_size is disabled \
(example config below). Squid will not load on boot with this setting enabled.
8. check permissions across your squid installation (specifically cache, ssl_crtd and \
cerificate cache/locations) to ensure the proxy:proxy account has access 9. be \
careful of the runtime directories which are used. The default location on Rpi is \
/squid3 but this approach will move everything in /squid so be sure that you use the \
right one in your config 10. Ensure you generate your self-signed CA certificate/key \
with SHA-256 (as a minimum) to avoid cert failures in the browser. 11. Bear in mind \
that your CA certificate will need to be installed/trusted on any device that you \
wish to use HTTPS on the network
My Config:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt \
key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SH \
A256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
sslproxy_session_cache_size 0
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir ufs /cache 400 16 256
----------------
It's worth noting that I could not get udhcpd to start on boot with the Raspberry Pi \
(which seemed to be the recommended DHCP server online) and had to switch to ISC to \
get DHCP to work. Bind works fine though and the Diladele filter also installed \
without a hitch so it's only really DHCP that can trip you up.
Hope this helps someone
Olly
oliver@lennox-it.uk
lennox-it.uk
tel: 07900 648 252
________________________________
From: Alex Rousskov <rousskov@measurement-factory.com>
To: "'squid-users@squid-cache. org'" <squid-users@squid-cache.org>
Cc: Olly Lennox <oliver@lennox-it.uk>
Sent: Thursday, 20 April 2017, 1:21
Subject: Re: [squid-users] HTTPS woes
On 04/19/2017 05:35 PM, Olly Lennox wrote:
> I can confirm that disabling the ssl sesison cache seems to have resolved the \
> issue.
Great!
> I found another post which references this patch to resolve the issue:
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-13984.patch
I am not sure that patch is related to any issues I have talked about.
What "another post" did you find?
> I check and the /dev/shm directory does exist with 777 permissions so
> from what I can see the OS should support it. I'm out of my depth
> here so maybe there is more to it but I can't see why squid couldn't
> write to this location.
Forget about my "OS environment is not compatible" theory (at least for
now). I now see that Squid is failing while trying to _open_ that memory
segment as opposed to failing while _creating_ it.
Did Squid try to create it? Set debug_options to "ALL,3 54,9" and search
for "shm_" and "ssl_session_cache" in cache.log for more clues.
Alex.
> ________________________________
> From: Alex Rousskov <rousskov@measurement-factory.com>
> To: "'squid-users@squid-cache. org'" <squid-users@squid-cache.org>
> Cc: Olly Lennox <oliver@lennox-it.uk>
> Sent: Thursday, 20 April 2017, 0:13
> Subject: Re: [squid-users] HTTPS woes
>
>
>
> On 04/19/2017 04:48 PM, Olly Lennox wrote:
>
> > After further investigation the problem is something to do with permissions \
> > related to ssl_crtd.
>
> No, it is not (or at least not yet).
>
>
> > I can run squid as root but using the default account (proxy?) it
> > won't run and is giving this error in cache.log:
>
> > 2017/04/19 23:43:54 kid1| helperOpenServers: Starting 1/8 'ssl_crtd' processes
> > FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-ssl_session_cache.shm): \
> > (2) No such file or directory
>
> The FATAL line is unrelated to the ssl_crtd line above it (this is one
> of several problems with FATAL error handling in Squid).
>
>
> > I've checked the file and folder permissions across all aspects of
> > squid and everything I can see is owned by proxy:proxy so not sure
> > where it is failing.
>
> Squid is failing when trying to open a shared memory segment used for
> storing SSL sessions. This probably means two things:
>
> 1. Your OS environment is not compatible with Squid shared memory needs
> (e.g., missing /dev/shm/ or equivalent). More info at
> http://wiki.squid-cache.org/Features/SmpScale#Ipc::Mem::Segment::create_failed_to_shm_open.28....29:_.282.29_No_such_file_or_directory
>
> 2. There is a bug in Squid: Squid should not create shared memory
> segments when running in non-SMP mode. Please consider reporting this
> bug if it has not been reported already. At the expense of losing SSL
> session resumption capabilities, you should be able to work around this
> bug by disabling the session cache:
> http://www.squid-cache.org/Doc/config/sslproxy_session_cache_size/
>
>
> HTH,
>
> Alex.
>
>
>
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow all
> >
> > http_port 3130
> >
> > http_port 3128 intercept
> > https_port 3129 intercept ssl-bump generate-host-certificates=on \
> > dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt \
> > key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 \
> > dhparams=/etc/squid3/ssl_cert/dhparam.pem
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> > sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDS \
> > A+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
> > sslproxy_cafile /etc/squid/ssl_cert/mozcacert.pem
> >
> > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
> > sslcrtd_children 8 startup=1 idle=1
> >
> > coredump_dir /var/spool/squid
> >
> > # Add any of your own refresh_pattern entries above these.
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > refresh_pattern . 0 20% 4320
> >
> > cache_dir ufs /cache 400 16 256
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic