Some troubles configure proxy and https website

@saitobenkei, I can’t understand the question.
Please, describe in full details what you expect and what you find/see.

@malmsteen, I can’t reproduce the problem.
Please, have a look at the logs: /var/log/squid/cache.log and access.log.
Also, /var/ufdbguard/logs/ufdbguardd.log (look for twitter).

Hallo,

this behaviour coming from ufdbguard when its blocking https sites…
Please read the ufdbguard manual it’s described there but if I’m understanding right there is no solution for that at the moment.

1 Like

For sites you have blocked? This comes from ufdbguard like @denis.robel said. If the error appears to sites you don’t block we have to look what wents wrong.

Hi, this morning i try to connect to some https site that are not blocked by web filter, this is ufdbguardd.log output:

“2017-03-29 08:58:50 [5152] BLOCK it_user1 10.39.5.162 src_pippo files safebrowsinggooglecom:443 CONNECT
2017-03-29 08:58:51 [5152] BLOCK it_user1 10.39.5.162 src_pippo files shavarservicesmozilla.com:443 CONNECT
2017-03-29 08:59:04 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:05 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:05 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files www.googlecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:06 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 08:59:09 [5152] BLOCK it_user1 10.39.5.162 src_pippo files wwwgooglecom:443 CONNECT
2017-03-29 09:00:31 [5152] BLOCK it_user1 10.39.5.162 src_pippo files mailyahoocom:443 CONNECT”

and from access.log

“1490770749.617 0 10.39.5.162 TCP_DENIED/407 4169 CONNECT wwwgooglecom:443 - HIER_NONE/- text/html
1490770749.652 31 10.39.5.162 TCP_TUNNEL/200 1732 CONNECT wwwgooglecom:443 it_user1 HIER_DIRECT/10.39.1.51 -
1490770831.351 0 10.39.5.162 TCP_DENIED/407 4169 CONNECT mailyahoocom:443 - HIER_NONE/- text/html
1490770831.417 62 10.39.5.162 TCP_TUNNEL/200 1732 CONNECT mailyahoocom:443 it_user1 HIER_DIRECT/10.39.1.51 -”

i also try to create a new filter rule like this

without any category checked and in this situation https://mail.yahoo.com works fine but with google and twitter i have the same problem.

thanks

bye

Andrea

@filippo_carletti: I understand that the https proxy and scan works as described only if the proxy is configured as transparent. There’s the possibilty to have the same behaviorur when the proxy is configured in authenticated mode?

Hi Andrea,
can you post your squid.conf and ufdbguard.conf please.
Your log says sites are blocked, there could be anything wrong in conf files.

The squid proxy has the same behavior in every mode.
When authenticated, you also know the user name (it can be shown in reports): a user can be blocked by username. When transparent or manual, you don’t know the user name. That’s it.

hi,

squid.conf

# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

# Allow access from green and trusted networks.
acl localnet src 10.39.x.x/21
acl localnet_dst src 10.39.x.x/21

# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980		# httpd-admin (server-manager)
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 980		# httpd-admin (server-manager)
acl CONNECT method CONNECT

#
# 20acl_00_portscustom
#

# Authentication required


# GSSAPI auth in ADS mode
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -i
auth_param negotiate children 10
auth_param negotiate keep_alive on

# BASIC PAM auth (fallback) 
auth_param basic program  /usr/lib64/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm xxx
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive on
acl authenticated proxy_auth REQUIRED

# Allow access from localhost
http_access allow localhost

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# Skip URL rewriter for local addresses
#
acl self dst 10.39.x.xx
acl self_port port 80
acl self_port port 443
url_rewrite_access deny self localnet  self_port


# Authentication required on green and trusted networks
http_access allow localnet authenticated


# And finally deny all other access to this proxy
http_access deny all

cache_mem 256 MB

# Enable disk cache
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_dir aufs /var/spool/squid 200 16 256


# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims

# Always enable manual proxy
http_port 3128

# Enable squidGuard 
url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
# Hide client ip #
forwarded_for delete
 
# Turn off via header #
via off
 
# Deny request for original source of a request
follow_x_forwarded_for deny all
 
# privacy experience 
request_header_access X-Forwarded-For deny all
request_header_access From deny all
request_header_access Referer deny all
request_header_access User-Agent deny all

#
# 90options
#
forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0
#
# 90squidclamav
#

and ufdbGuard.conf


logdir "/var/ufdbguard/logs"
dbhome "/var/squidGuard/blacklists"
squid-version "3.5"
analyse-uncategorised-urls off
upload-crash-reports off
# slow replies when reloading db to decrease the number of passed urls
url-lookup-delay-during-database-reload on

logblock on

# Always strip domain from squid username
strip-domain-from-username on
redirect-https     "10.39.x.x:443"

category "clothing" {
      domainlist /var/squidGuard/blacklists/clothing/domains
}
category "files" {
      expressionlist /var/squidGuard/blacklists/custom/files/expressions
}
category "pets" {
      domainlist /var/squidGuard/blacklists/pets/domains
}
category "aggressive" {
      domainlist /var/squidGuard/blacklists/aggressive/domains
}
category "violence" {
      domainlist /var/squidGuard/blacklists/violence/domains
}
category "onlineauctions" {
      domainlist /var/squidGuard/blacklists/onlineauctions/domains
}
category "mixed_adult" {
      domainlist /var/squidGuard/blacklists/mixed_adult/domains
}
category "adult" {
      domainlist /var/squidGuard/blacklists/adult/domains
}
category "gambling" {
      domainlist /var/squidGuard/blacklists/gambling/domains
}
category "kidstimewasting" {
      domainlist /var/squidGuard/blacklists/kidstimewasting/domains
}
category "ringtones" {
      domainlist /var/squidGuard/blacklists/ringtones/domains
}
category "ger_ok" {
      domainlist /var/squidGuard/blacklists/custom/ger_ok/domains
}
category "dating" {
      domainlist /var/squidGuard/blacklists/dating/domains
}
category "reaffected" {
      domainlist /var/squidGuard/blacklists/reaffected/domains
}
category "personalfinance" {
      domainlist /var/squidGuard/blacklists/personalfinance/domains
}
category "gardening" {
      domainlist /var/squidGuard/blacklists/gardening/domains
}
category "socialnetworking" {
      domainlist /var/squidGuard/blacklists/socialnetworking/domains
}
category "hacking" {
      domainlist /var/squidGuard/blacklists/hacking/domains
}
category "games" {
      domainlist /var/squidGuard/blacklists/games/domains
}
category "updatesites" {
      domainlist /var/squidGuard/blacklists/updatesites/domains
}
category "ecommerce" {
      domainlist /var/squidGuard/blacklists/ecommerce/domains
}
category "shopping" {
      domainlist /var/squidGuard/blacklists/shopping/domains
}
category "whitelist" {
      domainlist /var/squidGuard/blacklists/whitelist/domains
}
category "onlinepayment" {
      domainlist /var/squidGuard/blacklists/onlinepayment/domains
}
category "mobile-phone" {
      domainlist /var/squidGuard/blacklists/mobile-phone/domains
}
category "weather" {
      domainlist /var/squidGuard/blacklists/weather/domains
}
category "weapons" {
      domainlist /var/squidGuard/blacklists/weapons/domains
}
category "sexuality" {
      domainlist /var/squidGuard/blacklists/sexuality/domains
}
category "sports" {
      domainlist /var/squidGuard/blacklists/sports/domains
}
category "sexual_education" {
      domainlist /var/squidGuard/blacklists/sexual_education/domains
}
category "webmail" {
      domainlist /var/squidGuard/blacklists/webmail/domains
}
category "childcare" {
      domainlist /var/squidGuard/blacklists/childcare/domains
}
category "radio" {
      domainlist /var/squidGuard/blacklists/radio/domains
}
category "dialers" {
      domainlist /var/squidGuard/blacklists/dialers/domains
}
category "financial" {
      domainlist /var/squidGuard/blacklists/financial/domains
}
category "vacation" {
      domainlist /var/squidGuard/blacklists/vacation/domains
}
category "searchengines" {
      domainlist /var/squidGuard/blacklists/searchengines/domains
}
category "audio-video" {
      domainlist /var/squidGuard/blacklists/audio-video/domains
}
category "ads" {
      domainlist /var/squidGuard/blacklists/ads/domains
      expressionlist /var/squidGuard/blacklists/ads/expressions
}
category "frencheducation" {
      domainlist /var/squidGuard/blacklists/frencheducation/domains
}
category "spyware" {
      domainlist /var/squidGuard/blacklists/spyware/domains
}
category "medical" {
      domainlist /var/squidGuard/blacklists/medical/domains
}
category "drugs" {
      domainlist /var/squidGuard/blacklists/drugs/domains
}
category "virusinfected" {
      domainlist /var/squidGuard/blacklists/virusinfected/domains
}
category "jewelry" {
      domainlist /var/squidGuard/blacklists/jewelry/domains
}
category "government" {
      domainlist /var/squidGuard/blacklists/government/domains
}
category "builtin" {
      domainlist /var/squidGuard/blacklists/custom/builtin/domains
      expressionlist /var/squidGuard/blacklists/custom/builtin/expressions
}
category "instantmessaging" {
      domainlist /var/squidGuard/blacklists/instantmessaging/domains
}
category "filehosting" {
      domainlist /var/squidGuard/blacklists/filehosting/domains
}
category "onlinegames" {
      domainlist /var/squidGuard/blacklists/onlinegames/domains
}
category "beerliquorsale" {
      domainlist /var/squidGuard/blacklists/beerliquorsale/domains
}
category "sportnews" {
      domainlist /var/squidGuard/blacklists/sportnews/domains
}
category "warez" {
      domainlist /var/squidGuard/blacklists/warez/domains
}
category "naturism" {
      domainlist /var/squidGuard/blacklists/naturism/domains
}
category "phishing" {
      domainlist /var/squidGuard/blacklists/phishing/domains
}
category "nh_blacklist" {
      domainlist /var/squidGuard/blacklists/custom/blacklist/domains
}
category "artnudes" {
      domainlist /var/squidGuard/blacklists/artnudes/domains
}
category "beerliquorinfo" {
      domainlist /var/squidGuard/blacklists/beerliquorinfo/domains
}
category "proxy" {
      domainlist /var/squidGuard/blacklists/proxy/domains
}
category "culinary" {
      domainlist /var/squidGuard/blacklists/culinary/domains
}
category "entertainment" {
      domainlist /var/squidGuard/blacklists/entertainment/domains
}
category "antispyware" {
      domainlist /var/squidGuard/blacklists/antispyware/domains
}
category "jobsearch" {
      domainlist /var/squidGuard/blacklists/jobsearch/domains
}
category "marketingware" {
      domainlist /var/squidGuard/blacklists/marketingware/domains
}
category "mail" {
      domainlist /var/squidGuard/blacklists/mail/domains
}
category "porn" {
      domainlist /var/squidGuard/blacklists/porn/domains
      expressionlist /var/squidGuard/blacklists/porn/expressions
}
category "religion" {
      domainlist /var/squidGuard/blacklists/religion/domains
}
category "ad-block" {
      domainlist /var/squidGuard/blacklists/custom/ad-block/domains
}
category "hygiene" {
      domainlist /var/squidGuard/blacklists/hygiene/domains
}
category "blog" {
      domainlist /var/squidGuard/blacklists/blog/domains
}
category "chat" {
      domainlist /var/squidGuard/blacklists/chat/domains
}
category "nh_whitelist" {
      domainlist /var/squidGuard/blacklists/custom/whitelist/domains
}
category "banking" {
      domainlist /var/squidGuard/blacklists/banking/domains
}
category "cellphones" {
      domainlist /var/squidGuard/blacklists/cellphones/domains
}
category "verisign" {
      domainlist /var/squidGuard/blacklists/verisign/domains
}
category "cleaning" {
      domainlist /var/squidGuard/blacklists/cleaning/domains
}
category "homerepair" {
      domainlist /var/squidGuard/blacklists/homerepair/domains
}
category "news" {
      domainlist /var/squidGuard/blacklists/news/domains
}

category "security" {
   cacerts        "/var/ufdbguard/blacklists/security/cacerts"
   option         enforce-https-with-hostname off
   option         enforce-https-official-certificate off
   option         allow-skype-over-https on
   option         allow-gtalk-over-https on
   option         allow-yahoomsg-over-https on
   option         allow-aim-over-https on
   option         allow-fb-chat-over-https on
   option         allow-citrixonline-over-https on
   option         allow-anydesk-over-https on
   option         allow-teamviewer-over-https on
   option         allow-unknown-protocol-over-https on
   option         https-prohibit-insecure-sslv2 off
   option         https-prohibit-insecure-sslv3 off
}

src src_pippo {
    user "it_user1"
}


acl {

    # Profile: pippo
    src_pippo  {
        pass !security nh_whitelist  !nh_blacklist  !in-addr  !files  !builtin  all
    }

    default {
        pass !security nh_whitelist  !nh_blacklist  !in-addr  !files  !builtin  "ger_ok"  none
        redirect     http://10.39.x.x/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
    }

}

thanks

bye

Andrea

You block all lists with a “!” in front of, please have a look at these lists if there is for example your google adress which is blocked.

hi, i don’t think that is acl’s problem.

this morning i have created a new filter rule without any block, it has worked fine for 10/15 minutes and after I began to see in the access log file a 407 error message.

I know that this error is related to authentication problem, so the squid wait a authentication to continue, but i don’t understand why with http site the proxy works fine and doesn’t work with https site.

i have tried with firefox and IE

can be a firewall problem?

thanks

Andrea

Perhaps I’ve found a solution for your problem at this site, try to increase the number of childs for authentication mode.
The person at the thread increases it from 16 to 64. Please do it with a custom template.

hi, try to increase auth_param negotiate children to 64 but i have same problem.

On cache.log i can’t see errors about authentication process.

Did you change values for

and

Have you restarted the service after that?

yes i did

thanks

Andrea

i think that problem is here

"category “security” {
cacerts "/var/ufdbguard/blacklists/security/cacerts"
option enforce-https-with-hostname off
option enforce-https-official-certificate off
option allow-skype-over-https on
option allow-gtalk-over-https on
option allow-yahoomsg-over-https on
option allow-aim-over-https on
option allow-fb-chat-over-https on
option allow-citrixonline-over-https on
option allow-anydesk-over-https on
option allow-teamviewer-over-https on
option allow-unknown-protocol-over-https on
option https-prohibit-insecure-sslv2 off
option https-prohibit-insecure-sslv3 off
}
"
exactly what is this category?

from acl section i manualy removed !secure and now https seems works fine

thanks

andrea

Hi Andrea,
I’ve this category with the same settings too and google works like a charm. The difference between our configuration is the user authentication. I didn’t use it. (At this time my proxy runs in productivity enviremont. I’ve to setup proxy at my test equipment, I inform you if I have done.)

Here I’ve found, that you need the enforce options to redirect blocked https-sites without certificate error, but for me it dosn’t work. The allow options are to allow secure connections with etc. skype service. The https-prohibit options are to block the old sslv2 and sslv3.

Hi Andrea,
I installed it, but I’ve some problems configuring it in authentication mode. I get the following error:

ERROR: auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth: (2) No such file or directory

Must I build it myself?

No, that file comes from the original squid package.
Please verify that the installed squid package is ok:

# rpm -V squid
S.5....T.  c /etc/squid/squid.conf
S.5....T.  c /etc/sysconfig/squid

hi, yesterday i have manually installed ufdbguad 1.33.1 and now i have no problem with certificates. I saw that yesterday nethserver has released an update, maybe can resolve my problem

thanks

Andrea

My output is same like yours.
I tried to reinstall squid, for a short moment I see the following error-message

This message was changed with a Yum Cache error after a short time…
Message.log gives me the following line

Apr 5 14:31:56 GroupwareBackup admin-todos: [ERROR] admin-todos: /etc/nethserver/todos.d/20admin-user exit code 9

@malmsteen
Nice to hear that it works for you.