Squid4+HTTPS (без подмены сертификатов) — Почему не работает фильтрация трафика https?

Question

Jordan-CG @Jordan-CG

Squid

Squid4+HTTPS (без подмены сертификатов) — Почему не работает фильтрация трафика https?

Доброго
Собран squid v.4 с поддержкой https (без подмены сертификатов). На клиентах в браузере групповыми политиками прописывается wpad.dat. Не удаётся разорвать подключения средствами "ssl_bump terminate blocked".

ll blocked_https.txt

-rw-r--r--. 1 root squid 19 May 14 18:43 /etc/squid/acl/blocked_https.txt

Squid -v

Squid Cache: Version 4.0.24
Service Name: squid

This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--verbose' '--exec_prefix=/usr' '--enable-async-io=8' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--disable-maintainer-mode' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=kerberos_ldap_group,wbinfo_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--enable-ecap' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' '--without-nettle' '--enable-ltdl-convenience' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC'

squid.conf

auth_param negotiate program /usr/local/bin/negotiate_wrapper --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy-core.sth.local@STH.LOCAL --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 100 startup=20 idle=5
auth_param ntlm keep_alive off

auth_param basic program /usr/lib64/squid/basic_ldap_auth -v 3 -P -R -b "dc=sth,dc=local" -D proxy-basic-auth@sth.local -W /etc/squid/basic_auth_pass -f sAMAccountName=%s -h dc-srv-1.sth.local dc-2.sth.local
auth_param basic children 20
auth_param basic realm "SQUID Proxy Server Basic authentication"
auth_param basic credentialsttl 2 hours

external_acl_type memberof ttl=3600 ipv4 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -v 3 -P -R -K -b "DC=sth,DC=local" -D "proxy-basic-auth@sth.local" -W /etc/squid/basic_auth_pass -f "(&(objectclass=person)(sAMAccountName=%v)(memberof:$

acl auth proxy_auth REQUIRED
acl InternetDeny external memberof "/etc/squid/acl/group_deny"
acl InternetFull external memberof "/etc/squid/acl/group_full"
acl InternetDenyByBlackList external memberof "/etc/squid/acl/group_deny_by_blacklist"
acl InternetAllowByWhiteList external memberof "/etc/squid/acl/group_allow_by_whitelist"

acl SitesAllow dstdomain "/etc/squid/acl/sites_allow"
acl SitesDeny dstdomain "/etc/squid/acl/sites_deny"
acl SitesPriority dstdomain "/etc/squid/acl/sites_priority"

acl WUServersLocal src "/etc/squid/acl/computers_wsus"
acl WUSitesGlobal dstdomain "/etc/squid/acl/sites_wsus"
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
dns_nameservers 10.255.200.3
dns_nameservers 192.168.1.12

acl blacklist url_regex -i "/etc/squid/acl/blacklist_all.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blacklist localnet
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet CONNECT
http_access allow localhost
http_access allow WUSitesGlobal WUServersLocal
http_access allow SitesPriority localnet
http_access deny !auth
http_access deny InternetDeny all
http_access allow SitesAllow localnet
http_access deny InternetAllowByWhiteList
http_access allow InternetFull auth localnet
http_access deny SitesDeny localnet
http_access allow InternetDenyByBlackList
http_access allow localnet #for allow tcp_denied 407
http_access deny all

tls_outgoing_options min-version=1.0
http_port 3128 #intercept #options=ALL:NO_SSLv3:NO_SSLv2 ssl-bump connection-auth=off tls-cert=/etc/squid/squidCA.pem
https_port 127.0.0.1:3129 intercept ssl-bump connection-auth=off generate-host-certificates=off tls-cert=/etc/squid/squidCA.pem
http_port 3130 #options=ALL:NO_SSLv3:NO_SSLv2 # disabled by rfc6178
sslproxy_cert_error allow all
tls_outgoing_options flags=DONT_VERIFY_DOMAIN
always_direct allow all
acl blocked ssl::server_name "/etc/squid/acl/blocked_https.txt"
acl nobumpSites ssl::server_name "/etc/squid/acl/nobump_sites.txt" #
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB

cache_mem 4096 MB
maximum_object_size_in_memory 4096 MB
minimum_object_size 3 KB
cache_replacement_policy heap GDSF
cache_dir aufs /var/spool/squid 20000 49 256
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4

cache_log /var/log/squid/cache.log
debug_options ALL #,3
coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_mgr null@conceptgroup.ru
httpd_suppress_version_string on
visible_hostname PROXY

error_directory /usr/share/squid/errors/ru
error_default_language ru

dns_v4_first on
acl to_ipv6 dst ipv6
tcp_outgoing_address 10.255.0.122 !to_ipv6

forwarded_for delete