L A Walsh
2018-10-11 23:34:04 UTC
I seem to have a problem specifying the cipher list in the tls_outgoing
options.
The line I have:
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\
EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
Of note, I split the line here in email with '\', but in the config
file, it is one long line (w/o the '\').
The error I get from squid 4.0.25 is: (using check)
# /usr/sbin/squid -k check
2018/10/11 16:14:31| FATAL: Unknown TLS option
'=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
!MD5:!EXP:!PSK:!SRP:!DSS'
(w/o the splits).
I can't tell what it is objecting to.
To give it a rootcert, can I re-use the same rootcert
I had in 3.x?
Below is my config w/o comment lines. This is a private proxy.
acl msdata dstdomain \.data\.microsoft\.com
acl localnet src 127.0.0.0/8
acl localnet src 192.168.3.0/24
acl sc_subnet src 192.168.3.0/24
acl robot_txt url_regex -i ^http.*/robots.txt$
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1024-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Allowed_Connect port 1024-65535 #allowed non-SSL Connects to
non-reserved ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny msdata
http_access allow CONNECT Safe_Ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port ishtar.sc.tlinx.org:8118 ignore-cc ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
http_port ishtar.sc.tlinx.org:8080 ignore-cc
http_port 127.0.0.1:8118 ignore-cc
http_port 127.0.0.1:8080 ignore-cc
http_port wpad.sc.tlinx.org:80
acl WPAD urlpath_regex ^/wpad.dat$
deny_info 200:wpad.dat WPAD
http_access deny WPAD
reply_header_access Content-Type deny WPAD
reply_header_replace Content-Type application/x-ns-proxy-autoconfig
acl internal_net src 192.168.3.0/24
clientside_tos 0x54
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_session_ttl 900
sslproxy_session_cache_size 16 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/cache/squid/lib/ssl_db -M 128MB
maximum_object_size 2 GB
cache_dir aufs /var/cache/squid 98304 64 64
workers 1
log_mime_hdrs on
strip_query_terms off
buffered_logs on
cache_log /var/log/squid/cache.log squid
debug_options ALL,1,11,2 rotate=10
coredump_dir /var/cache/squid rotate=10
url_rewrite_host_header off
url_rewrite_access deny all
max_stale 60 days
refresh_pattern -i /robots.txt$ 600 90% 3600 ignore-reload
ignore-no-store ignore-must-revalidate ignore-private ignore-auth
override-lastmod store-stale
refresh_pattern -i download 10 50% 100800 override-expire ignore-private
ignore-must-revalidate
refresh_pattern -i \.flv 10080 90% 10080 override-expire ignore-private
refresh_pattern -i \.pdf 3600 90% 10080 ignore-no-store ignore-private
override-expire
refresh_pattern -i \.(ico|gif|jpg|png) 600 20% 4320
ignore-private override-expire
refresh_pattern ^http(s)?://bakabt.me 1200 30% 14320
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern ^http(s)?://*.bakashots.me 1200 30% 14320
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern -i \.html 0 20% 4320 ignore-private ignore-no-store
refresh_pattern -i (/cgi-bin/|\?) 0 10% 1 ignore-private
refresh_pattern ^(http|https): 0 20% 4320 ignore-private
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 MB
quick_abort_max 24 MB
quick_abort_pct 75
read_ahead_gap 768 MB
negative_ttl 2 seconds
range_offset_limit 1 MB
store_avg_object_size 256 KB
store_objects_per_bucket 32
request_header_max_size 1 MB
client_request_buffer_max_size 2 MB
vary_ignore_expire on
request_header_access Strict-Transport-Security deny all
request_header_replace Strict-Transport-Security max-age=0;
includeSubDomains
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
collapsed_forwarding on
forward_timeout 10 seconds
request_timeout 45 seconds
request_timeout 45 seconds
ident_timeout 1 seconds
shutdown_lifetime 8 seconds
visible_hostname web-proxy
hostname_aliases ishtar ishtar.sc.tlinx.org web-proxy ns1.sc.tlinx.org
webproxy
umask 002
always_direct allow all
dns_packet_max 1400 bytes
dns_defnames on
dns_v4_first on
memory_pools_limit 2 GB
forwarded_for transparent
reload_into_ims on
connect_retries 2
retry_on_error on
pipeline_prefetch 8
high_response_time_warning 15000
high_page_fault_warning 512
options.
The line I have:
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH+ECDSA+AESGCM:\
EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:\
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
Of note, I split the line here in email with '\', but in the config
file, it is one long line (w/o the '\').
The error I get from squid 4.0.25 is: (using check)
# /usr/sbin/squid -k check
2018/10/11 16:14:31| FATAL: Unknown TLS option
'=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:\
EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:\
!MD5:!EXP:!PSK:!SRP:!DSS'
(w/o the splits).
I can't tell what it is objecting to.
To give it a rootcert, can I re-use the same rootcert
I had in 3.x?
Below is my config w/o comment lines. This is a private proxy.
acl msdata dstdomain \.data\.microsoft\.com
acl localnet src 127.0.0.0/8
acl localnet src 192.168.3.0/24
acl sc_subnet src 192.168.3.0/24
acl robot_txt url_regex -i ^http.*/robots.txt$
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1024-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Allowed_Connect port 1024-65535 #allowed non-SSL Connects to
non-reserved ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny msdata
http_access allow CONNECT Safe_Ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port ishtar.sc.tlinx.org:8118 ignore-cc ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
http_port ishtar.sc.tlinx.org:8080 ignore-cc
http_port 127.0.0.1:8118 ignore-cc
http_port 127.0.0.1:8080 ignore-cc
http_port wpad.sc.tlinx.org:80
acl WPAD urlpath_regex ^/wpad.dat$
deny_info 200:wpad.dat WPAD
http_access deny WPAD
reply_header_access Content-Type deny WPAD
reply_header_replace Content-Type application/x-ns-proxy-autoconfig
acl internal_net src 192.168.3.0/24
clientside_tos 0x54
tls_outgoing_options
options=NOSSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE,cipher=EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_session_ttl 900
sslproxy_session_cache_size 16 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/cache/squid/lib/ssl_db -M 128MB
maximum_object_size 2 GB
cache_dir aufs /var/cache/squid 98304 64 64
workers 1
log_mime_hdrs on
strip_query_terms off
buffered_logs on
cache_log /var/log/squid/cache.log squid
debug_options ALL,1,11,2 rotate=10
coredump_dir /var/cache/squid rotate=10
url_rewrite_host_header off
url_rewrite_access deny all
max_stale 60 days
refresh_pattern -i /robots.txt$ 600 90% 3600 ignore-reload
ignore-no-store ignore-must-revalidate ignore-private ignore-auth
override-lastmod store-stale
refresh_pattern -i download 10 50% 100800 override-expire ignore-private
ignore-must-revalidate
refresh_pattern -i \.flv 10080 90% 10080 override-expire ignore-private
refresh_pattern -i \.pdf 3600 90% 10080 ignore-no-store ignore-private
override-expire
refresh_pattern -i \.(ico|gif|jpg|png) 600 20% 4320
ignore-private override-expire
refresh_pattern ^http(s)?://bakabt.me 1200 30% 14320
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern ^http(s)?://*.bakashots.me 1200 30% 14320
ignore-private override-expire ignore-no-store ignore-no-cache
ignore-must-revalidate
refresh_pattern -i \.html 0 20% 4320 ignore-private ignore-no-store
refresh_pattern -i (/cgi-bin/|\?) 0 10% 1 ignore-private
refresh_pattern ^(http|https): 0 20% 4320 ignore-private
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 MB
quick_abort_max 24 MB
quick_abort_pct 75
read_ahead_gap 768 MB
negative_ttl 2 seconds
range_offset_limit 1 MB
store_avg_object_size 256 KB
store_objects_per_bucket 32
request_header_max_size 1 MB
client_request_buffer_max_size 2 MB
vary_ignore_expire on
request_header_access Strict-Transport-Security deny all
request_header_replace Strict-Transport-Security max-age=0;
includeSubDomains
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
collapsed_forwarding on
forward_timeout 10 seconds
request_timeout 45 seconds
request_timeout 45 seconds
ident_timeout 1 seconds
shutdown_lifetime 8 seconds
visible_hostname web-proxy
hostname_aliases ishtar ishtar.sc.tlinx.org web-proxy ns1.sc.tlinx.org
webproxy
umask 002
always_direct allow all
dns_packet_max 1400 bytes
dns_defnames on
dns_v4_first on
memory_pools_limit 2 GB
forwarded_for transparent
reload_into_ims on
connect_retries 2
retry_on_error on
pipeline_prefetch 8
high_response_time_warning 15000
high_page_fault_warning 512