Troubleshooting sites that wont load using Squid bump
-
@JonathanLee
I am using Squid with Bumping. When sites dont load i assume its something wrong with the bumping and I whitelist. Is there a way I can tell in Squid a sites not loading due to a problem with the bumping and not an issue with the site itself?
Anything I should look for in the logs? -
@michmoor I created a splice file that I use with specific sites that can't be bumped like banks etc. That is how I get around this issue.
-
@JonathanLee But my question is HOW do you know there is an issue in the first place?
-
Advanced config I have some internal IP addresses that I splice and others I inspect, plus my splice file for all. Customizable to your needs.
-
@michmoor I only know there is an issue only when the websites won't load. I am on a home network so family complains when they want a new site that won't work. I would normally watch squid look for http 500 and look at those websites.
-
This post is deleted! -
@JonathanLee Ahhhh gotcha. So maybe a 500 but really its if your family says something doesnt work.
Thanks Jonathan!! -
@michmoor are you looking for a log of what sites are having issues? Check out the Squid proxy logs.
-
@JonathanLee Are you utilizing LightSquid as well? Curious as to what made you deploy Squid.
Im thinking about placing it on another VLAN at home, maybe my Wireless - But using Transparent Proxy. -
@michmoor yes I also use lightsquid I have children so I use it to block specific websites and use timers for access alongside use of a blacklist.
-
@michmoor transparent proxy is the quick way to go it works great, I wanted the https scan for clam AV to work.
https://forum.it-monkey.net/index.php?topic=23.0
This website is great for help setting up I am so thankful for who made this.
Clam AV with https scans -
So Transparent proxy works with LightSquid then?
Right now i am only bumping one VLAN. I am planning on the kids vlan without bumping as i cant install a certificate on those devices. -
@michmoor lightsquid does. Should be a great project/puzzle to work on. My issue was Xbox not having options for proxy use like all the other game systems. So I used DHCP option 252 to configure the proxy and set it for transparent use.
-
@JonathanLee So ive set DHCP Option 252 but it doesnt seem to be working at all.
I have LAN1 - Thats set for SSL Intercept. I got certificates installed on all my client machines. Working
I have LAN2 - This is Wifi. I got transparent mode set up. Ive set DHCP Option 252. I still dont see SSL/TLS being intercepted and seeing the reports in LightSquid.My iPhone is getting the option. Nothing in LightSquid on port 443
-
@michmoor you have wpad files set up also? Just to confirm,
The Squid proxy must have both options enabled and you will have to use advanced config to direct what vlan subnets need splice and what needs intercept. I have only done it with specific IP addresses, again you must add the subnets to Squid for use also.
(both options enabled)
(add in other vlan subnets) -
https://wiki.squid-cache.org/SquidFaq/SquidAcl
Use this webpage with advanced config and set up the subnets under Custom Options ssl/mitm area notice mine has spice only set for some and others are not they are mitm
(option 252 I set up in dhcp server for auto proxy config you must allow access to the firewalls port however with use of this)https://192.168.1.1:8080/wpad.dat
I am using 8080 for firewall access so it must be set that way under the dhcp option 252 and access control listsMake sure to upvote
-
Make sure your ACLs are configured also to force proxy use
If you want to take it further block DoH requests also with Squidguard once you get it going
-
@JonathanLee You are a true gent. Thanks so much. I’m not using a custom configs but that looks like the next step.
-
@JonathanLee So what do you use WPAD for? My understanding is to inform clients that are set up to find a proxy server, where it is. These are not for your clients that are set up for bump, right?
edit. Came up with my custom config using you as a guide. I dont have SSL transparent on as im using proxy authentication on certain VLANs.
So for my iPads and XBOXs do i have to find proxy configuration in the software?acl splice_only src 192.168.14.0/24
acl splice_only src 192.168.23.0/24
acl NoSSLCIntercept ssl::server_name_regex -i "/usr/local/pkg/url.nobump"
ssl_bump splice splice_only
ssl_bump splice NoSSLCIntercept
ssl_bump bump all -
@michmoor great configuration. I use WPAD for automatic proxy configuration. Some laptops go back and forth from work or others to the university so I have WPAD set to auto configure when they get back on our home network. This way I do not have to manually set them to the proxy each and everytime they come home versus out in the world. To answer your question about the Xbox and iPad I splice them as you can not load a certificate into Xbox but you can on the iPad. The iPad I just have to set to splice so it runs and still does URL blocking, it's my wife's and it works better. The only ones I have set to intercept are ones I use for programing and cyber security researching. DHCP option all it does is serve the WPAD even when it's not asked this is for when the laptop is not set to auto for proxy, it will still configure to the proxy this way. It's like a double version. If the laptop is set to auto it configures and if not it auto configures the proxy too. Stuff has to work without my manually changing proxy settings.
