Havp + squid3 и режим "SSL man in the middle Filtering".
-
добрый день.
имеем:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11установлены пакеты:
HAVP 0.91_1 pkg v1.01 конфиг:
# ============================================================ # HAVP config file # This file generated automaticly with HAVP configurator (part of pfSense) # (C)2008 Serg Dvoriancev # email: dv_serg@mail.ru # ============================================================ USER havp GROUP havp DAEMON true PIDFILE /var/run/havp.pid # For small home use, 8 should be minimum. # For 500 users corporate use, start at 40. SERVERNUMBER 3 MAXSERVERS 100 # log ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log # syslog USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY daemon SYSLOGLEVEL info # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included LOG_OKS false LOGLEVEL 0 # temp SCANTEMPFILE /var/tmp/havp/havp-XXXXXX TEMPDIR /var/tmp # DBRELOAD 180 TRANSPARENT false # if HAVP is used as parent proxy by some other proxy, this allows to write the real users IP to log, instead of proxy IP. FORWARDED_IP true X_FORWARDED_FOR true # havp is listening on PORT 3125 BIND_ADDRESS 127.0.0.1 # Path to template files TEMPLATEPATH /usr/local/share/examples/havp/templates/ru # whitelist and blacklist WHITELISTFIRST true WHITELIST /usr/local/etc/havp/whitelist BLACKLIST /usr/local/etc/havp/blacklist # block file if error scanning FAILSCANERROR false # scanner SCANNERTIMEOUT 10 RANGE true # stream scan disabled STREAMSCANSIZE 0 SCANIMAGES false MAXSCANSIZE 5120000 KEEPBACKBUFFER 200000 KEEPBACKTIME 5 # After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive TRICKLING 10 TRICKLINGBYTES 1 # Downloads larger than MAXDOWNLOADSIZE will be blocked. MAXDOWNLOADSIZE 0 # ClamAV Library Scanner (libclamav) ENABLECLAMLIB false # Clamd scanner (Clam daemon) ENABLECLAMD true CLAMDSERVER 127.0.0.1 CLAMDPORT 3310squid3-dev 3.3.8 pkg 2.1.2 конфиг:
# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.ххх.10:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ https_port 127.0.0.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/ icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language ru icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname www-proxy.ххх.local cache_mgr ххх@ххх.local access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/pbi/squid-i386/share/certs/ sslproxy_cert_error allow all sslproxy_cert_adapt setCommonName all logfile_rotate 0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.ххх.0/24 uri_whitespace strip # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private # Let the clients favorite video site through with full caching acl youtube dstdomain .youtube.com cache allow youtube # Windows Update refresh_pattern range_offset_limit -1 refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims refresh_pattern -i my.windowsupdate.website.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims # Symantec refresh_pattern range_offset_limit -1 refresh_pattern liveupdate.symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims refresh_pattern symantecliveupdate.com/.*.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims # Avast refresh_pattern range_offset_limit -1 refresh_pattern avast.com/.*.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims # Avira refresh_pattern range_offset_limit -1 refresh_pattern personal.avira-update.com/.*.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims cache_mem 48 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /usr1/squid/cache 500 16 256 minimum_object_size 0 KB maximum_object_size 4 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.ххх.0/24 acl unrestricted_hosts src '/var/squid/acl/unrestricted_hosts.acl' http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration never_direct allow all cache_peer 127.0.0.1 parent 3125 0 name=havp no-query no-digest no-netdb-exchange default url_rewrite_program /usr/pbi/squidguard-squid3-i386/bin/squidGuard -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 5 # Custom options # These hosts do not have any restrictions http_access allow unrestricted_hosts always_direct allow all ssl_bump server-first all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrcsquidGuard-squid3 1.4_4 pkg v.1.9.5 конфиг приводить не буду.
Вопрос в следующем:
havp в режиме "parent for squid",
когда сквид в трасперент режиме и режим "SSL man in the middle Filtering" выключен
все работает - тестовый еикар ловится при скачивании с их сайта.из лога сквида:
1380386280.919 283 192.168.ххх.222 TCP_MISS/403 2843 GET http://www.eicar.org/download/eicar_com.zip - FIRSTUP_PARENT/127.0.0.1 text/htmlкогда режим "SSL man in the middle Filtering" включен сквид игнорирует перент на havp. почему так?
из лога сквида:
1380386136.838 204 192.168.ххх.222 TCP_MISS/200 566 GET http://www.eicar.org/download/eicar_com.zip - HIER_DIRECT/188.40.238.250 application/octet-streamПочему HIER_DIRECT а не FIRSTUP_PARENT как при при выключенном режиме "SSL man in the middle Filtering" ???
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.