• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SQUID TO ONLY SEE DOMAINS WITHOUT DECRYPTING CONTENT

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 2 Posters 324 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tiago.duarte
    last edited by Mar 26, 2025, 7:33 PM

    Good afternoon, how are you?
    First of all, please excuse my English.
    I'm trying to get a squid to work and I have no need to decrypt SSL.
    I was able to see the https domains, but I didn't want the proxy to be non-transparent.
    What happens is the following:
    When I configure the proxy on my computer, I can see the https domains.
    Example: instagram.com:443
    When I don't configure it on my computer, it doesn't appear.
    The transparent proxy in pfsense is active and the ssl interception is disabled.
    Is there any way I can avoid this configuration? I don't want to create a gpo for this. I'm in a domain and I wanted it to be extremely simple (just to see the domain).
    Thank you in advance.

    J 1 Reply Last reply Mar 30, 2025, 4:54 PM Reply Quote 0
    • J
      JonathanLee @tiago.duarte
      last edited by Mar 30, 2025, 4:54 PM

      @tiago-duarte Splice only should work for what you are doing.

      Make sure to upvote

      T 1 Reply Last reply Mar 31, 2025, 9:29 PM Reply Quote 0
      • T
        tiago.duarte @JonathanLee
        last edited by Mar 31, 2025, 9:29 PM

        @JonathanLee
        Good evening,
        It doesn't work =/. I wish it were that simple. It does work, but it generates a lot of problems.
        I managed to make Squid work without activating SSL inspection using proxy.pac on an Nginx server. But now I have 3 problems:
        1- I need it to work on Firefox.
        2- I need it to work on cell phones.
        3- I need it to not only be for those who receive IP via DHCP.
        It should be simpler to solve this, right?

        J 1 Reply Last reply Mar 31, 2025, 11:37 PM Reply Quote 0
        • J
          JonathanLee @tiago.duarte
          last edited by JonathanLee Apr 1, 2025, 12:44 AM Mar 31, 2025, 11:37 PM

          @tiago-duarte You should install certificates on the devices you own, yes using WPAD is a big part. You also might have to use custom configuration options.

          Example of custom refresh patterns area

          #if ${process_number} = 2
#cache_dir diskd /nvme/LOGS_Optane/Squid_Cache_B 32000 64 256
#endif #for use with multiple squid processes for added speed do not use macros unless you know what cache system to use or it will cause issues. Ignore this

acl block_hours time 00:30-05:00 #time based blocks my proxy locks up for the night at 13:30 am and opens again at 5am
ssl_bump terminate all block_hours
http_access deny all block_hours
icp_port 0
htcp_port 0
snmp_port 0
icp_access deny all
htcp_access deny all
snmp_access deny all
acl getmethod method GET
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

#tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE
#tls_outgoing_options default-ca=on

acl HttpAccess dstdomain "/usr/local/pkg/http.access"
acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"
#acl rewritedoms dstdomain "/usr/local/pkg/desdom"

#store_id_program /usr/local/libexec/squid/storeid_file_rewrite  /var/squid/storeid/storeid_rewrite.txt #store id stuff ignore this 
#store_id_children 10 startup=5 idle=1 concurrency=0
#always_direct allow all
#store_id_access deny connect
#store_id_access deny !getmethod
#store_id_access allow rewritedoms
#store_id_access deny all

refresh_all_ims on
reload_into_ims on
max_stale 20 years
minimum_expiry_time 0



refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims

acl https_login url_regex -i ^https.*(login|Login).* #for use with never logging passwords or logins
cache deny https_login

range_offset_limit 512 MB windowsupdate #for use with caching updates to be ecofriendly acceleration use. 
range_offset_limit 0 !windowsupdate
quick_abort_min -1 KB

          Example of mine I use certificates and intercept as well as splice by need and use. Squid is highly complex it's not really a plug in play package. If you want a plug and play package use pfblocking or something like that.

          ssl_engine devcrypto #for use with onboard cryptographic accelerator some squid versions can access this, 2100 have a safexcel chip and it vastly improves certificate generation. 
acl wpad urlpath_regex ^/wpad.dat$
acl wpad urlpath_regex ^/proxy.pac$
acl wpad urlpath_regex ^/wpad.da$
deny_info TCP_RESET wpad
#deny_info 200:/etc/squid/wpad.dat wpad
reply_header_access Content-Type deny wpad
http_access deny wpad
http_access deny !safeports
http_access deny CONNECT !sslports
#http_access allow localhost manager
#http_access deny manager
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd REDACTED_PASSWORD all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow CONNECT windowsupdate localnet
http_access allow CONNECT windowsupdate localhost
http_access allow CONNECT HttpAccess localnet
http_access allow CONNECT HttpAccess localhost
#http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6
#acl deny_rep_mime_doh rep_mime_type application/dns-message
#acl deny_rep_mime_doh rep_mime_type text/dns
#acl deny_rep_mime_doh rep_mime_type application/dns+json
#http_reply_access deny deny_rep_mime_doh

#acl doh_rfc8484 urlpath_regex -i ^/dns-query
#acl doh_rfc8484 urlpath_regex -i dns=
#acl doh_rfc8484 urlpath_regex -i ^/resolve
#acl doh_group any-of deny_rep_mime_doh doh_rfc8484
#http_access deny doh_group

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only_ip src 192.168.1.8 #Tasha iPhone
acl splice_only_ip src 192.168.1.10 #Jon iPhone
acl splice_only_ip src 192.168.1.11 #Amazon Fire
acl splice_only_ip src 192.168.1.15 #Tasha HP
acl splice_only_ip src 192.168.1.16 #iPad

acl splice_only_mac arp REDACTED_MAC_ADDRESS #Tashas iPhone
acl splice_only_mac arp REDACTED_MAC_ADDRESS c #Jon iPhone
acl splice_only_mac arp REDACTED_MAC_ADDRESS  #Amazon Fire
acl splice_only_mac arp REDACTED_MAC_ADDRESS 1 #Tasha HP
acl splice_only_mac arp REDACTED_MAC_ADDRESS c #iPad

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump" #another splice only list that is regex based
acl NoBumpDNS dstdomain -n "/usr/local/pkg/dns.nobump" #splice only list I created
acl SSL_Intercept_Terminate dstdomain -n "/usr/local/pkg/url.bump" #this is for do not allow lists

acl active_use annotate_client active=true

acl bump_only_ip src 192.168.1.3 #webtv
acl bump_only_ip src 192.168.1.4 #toshiba
acl splice_only_ip src 192.168.1.5 #imac
#acl bump_only_ip src 192.168.1.6 #Zero
acl bump_only_ip src 192.168.1.9 #macbook
acl splice_only_ip src 192.168.1.13 #dell

acl bump_only_mac arp REDACTED_MAC_ADDRESS 3 #PI 
acl bump_only_mac arp REDACTED_MAC_ADDRESS  #Toshiba-Portege
acl splice_only_mac arp REDACTED_MAC_ADDRESS  #iMac
#acl bump_only_mac arp REDACTED_MAC_ADDRESS  #Zero
acl bump_only_mac arp REDACTED_MAC_ADDRESS  #MacBook
acl splice_only_mac arp REDACTED_MAC_ADDRESS  #Dell_Laptop

collapsed_forwarding on
negative_dns_ttl 5 minutes
coredump_dir /nvme/LOGS_Optane/Squid_Dump #I use a custom NVMe drive for logs and dump files
read_ahead_gap 64 KB #ignore this
pipeline_prefetch 100 #ignore this
happy_eyeballs_connect_timeout 10 #ignore this
#memory_pools on

#acl terminate_group any-of SSL_Intercept_Terminate deny_rep_mime_doh doh_rfc8484 to_ipv6 from_ipv6
acl terminate_group any-of SSL_Intercept_Terminate to_ipv6 from_ipv6 #ISP does not allow ipv6 so when I am not using HE tunnel it is blocked
acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #splice all of these 
acl splice_only_local_group all-of splice_only_mac splice_only_ip #splice if ip and mac match
acl splice_main any-of splice_group splice_only_local_group #create a single file to work with below ssl section
acl bump_main all-of bump_only_mac bump_only_ip #inspection area bump everything and generate certificates for it. 

ssl_bump peek step1 #peek at step one on everything  
ssl_bump terminate terminate_group #if you find a terminate item stop it
miss_access deny no_miss active_use #do not store logins for anything so no miss store do not store them on the cache
ssl_bump splice splice_main active_use #so splice the splice items and annotate them as active for squid
ssl_bump bump bump_main active_use #same bump the bump items and annotate them 
acl activated note active_use true #annotate is not moved to ACL
ssl_bump terminate !activated #terminate anything that was not marked active within my ACLS. Added security

          It is a complex package to configure. If you do get it working, it is amazing to see it run with IPV6 and IPV4 and acceleration of Windows updates. I hope that helps, but again you might benefit from installation of certificates so that the systems trust the proxy.

          WPAD HELP:
          https://forum.netgate.com/topic/195585/unofficial-guide-squid-external-raspberry-pi-wpad-lighttpd-server-guide-with-raspberry-zero-lcd-hat-code/

          SECONDARY OR EXTERNAL DRIVE LOGGING HELP:
          https://forum.netgate.com/topic/195843/unofficial-guide-have-package-logs-record-to-a-secondary-ssd-drive-snort-syslog-squid-and-or-squid-cache-system

          Keep in mind if you get it working and have some knowledge of how it works Squid also has an email system for help, you must register to use it.

          https://www.squid-cache.org/

          "squid-users@lists.squid-cache.org" squid-users@lists.squid-cache.org

          It is not a walk in the park, some countries do not allow you to do SSL intercept, and or use a proxy. So, make sure you can use it before you attempt it. Do not abuse it. I have the bump set up so I can do antivirus scans and acceleration. Again, most of the time I use splice on devices, but you have to tell the package how to work.

          Make sure to upvote

          T 1 Reply Last reply Apr 1, 2025, 11:19 AM Reply Quote 0
          • T
            tiago.duarte @JonathanLee
            last edited by Apr 1, 2025, 11:19 AM

            @JonathanLee
            Good morning,
            Thanks for the clarification.
            So, I don't see the need to intercept SSL. I just want to see the domain at the SNI level. Regarding SSL interception, I can even create environments and test. But I'm on a network of 2000 computers, which ends up causing wear and tear. If I solve those first 3 problems I mentioned above, it will already be a big step forward for me.
            You said that splice works, in this case, do you use Squid + Ubuntu or Pfsense?

            J 1 Reply Last reply Apr 1, 2025, 8:43 PM Reply Quote 0
            • J
              JonathanLee @tiago.duarte
              last edited by Apr 1, 2025, 8:43 PM

              @tiago-duarte squid + pfSense plus

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received