Squid/ClamAV/C-ICAP und SSL Probleme

[ole]

Hello OPNsense Freunde,

irgendwie habe ich meine Config bei obigen Plugins/Pckgs vermurckst - ein Neu-Install hat nix gebracht, da die Web Konfig behalten wird und ich so nicht wieder "von vorne" anfangen kann. Daher die Frage, wie resette ich diese?

Aber nun zum Problem. Ich behaupte, ich bin vorgegangen wie in [Setup Transparent Proxy](https://docs.opnsense.org/manual/how-tos/proxytransparent.html#setup-transparent-proxy) beschrieben

Rufe ich dann den EICAR via http auf (http://www.rexswain.com/eicar.html) bekomme ich die Warn-Meldung. Rufe ich per https auf (https://www.eicar.org/?page_id=3950) kommt keine Meldung - ich kann ungehindert runterladen. Eine kurze Zeit bekam ich diesen auch mal zu sehen, plötzlich nicht mehr. Im FF konnte ich oben sehen "zertifiziert von HomeLAN CA" (oder so - meine self-signed interne CA). Chrome ist da zickiger. Das self-signed CA CRT habe ich system-wide auf meine Fedora Installation gebracht, was im FF auch als "System Trust" in der Zertifikatsverwaltung angezeigt wird.

Auf der Sense laufen all Prozesse (es gab auch mal lt. Logs einen Crash, daher die oben erwähnte Neuinstallation):

Code: [Select]

admin@OPNsense:~ % sudo sockstat  -l | egrep '(clamav|icap|squid)'
c_icap   c-icap     35415 5  tcp6   *:1344                *:*
c_icap   c-icap     28209 5  tcp6   *:1344                *:*
c_icap   c-icap     57726 5  tcp6   *:1344                *:*
c_icap   c-icap     3990  5  tcp6   *:1344                *:*
clamav   clamd      78715 4  tcp4   127.0.0.1:3310        *:*
clamav   clamd      78715 5  stream /var/run/clamav/clamd.sock
squid    squid      68856 11 udp46  *:25886               *:*
squid    squid      68856 20 udp4   *:58766               *:*
squid    squid      68856 47 tcp4   127.0.0.1:3128        *:*
squid    squid      68856 48 tcp6   ::1:3128              *:*
squid    squid      68856 49 tcp4   127.0.0.1:3129        *:*
squid    squid      68856 50 tcp6   ::1:3129              *:*
squid    squid      68856 51 tcp4   192.168.20.1:3128     *:*
squid    squid      68856 52 tcp4   192.168.1.1:3128      *:*
squid    squid      88504 9  dgram  (not connected)
mit

Code: [Select]

admin@OPNsense:~ % cat /usr/local/etc/squid/squid.conf
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.20.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.1.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB
sslcrtd_children 5
tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump
sslproxy_cert_error deny all
acl ftp proto FTP
http_access allow ftp
acl localnet src 192.168.20.0/24 # Possible internal network (interfaces v4)
acl localnet src 192.168.1.0/24 # Possible internal network (interfaces v4)
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl remoteblacklist_Shallalist.de dstdomain "/usr/local/etc/squid/acl/Shallalist.de"
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
icap_enable on
icap_default_options_ttl 60
adaptation_send_client_ip on
adaptation_send_username off
icap_client_username_encode off
icap_client_username_header X-Username
icap_preview_enable on
icap_preview_size 1024
icap_service response_mod respmod_precache icap://[::1]:1344/avscan
icap_service request_mod reqmod_precache icap://[::1]:1344/avscan
include /usr/local/etc/squid/pre-auth/*.conf
adaptation_access response_mod deny remoteblacklist_Shallalist.de
adaptation_access request_mod deny remoteblacklist_Shallalist.de
http_access deny remoteblacklist_Shallalist.de
adaptation_access response_mod deny !Safe_ports
adaptation_access request_mod deny !Safe_ports
http_access deny !Safe_ports
adaptation_access response_mod deny CONNECT !SSL_ports
adaptation_access request_mod deny CONNECT !SSL_ports
http_access deny CONNECT !SSL_ports
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
http_access allow localhost manager
http_access deny manager
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
http_access deny to_localhost
include /usr/local/etc/squid/auth/*.conf
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
http_access allow localnet
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
http_access allow localhost
adaptation_access response_mod deny all
adaptation_access request_mod deny all
http_access deny all
include /usr/local/etc/squid/post-auth/*.conf
cache_mem 256 MB
cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache
refresh_pattern pkg\.tar\.xz$   0       20%     4320 refresh-ims
refresh_pattern d?rpm$          0       20%     4320 refresh-ims
refresh_pattern deb$            0       20%     4320 refresh-ims
refresh_pattern udeb$           0       20%     4320 refresh-ims
refresh_pattern Packages\.bz2$  0       20%     4320 refresh-ims
refresh_pattern Sources\.bz2$   0       20%     4320 refresh-ims
refresh_pattern Release\.gpg$   0       20%     4320 refresh-ims
refresh_pattern Release$        0       20%     4320 refresh-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)     4320 80% 129600 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)       4320 80% 129600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_v4_first on
access_log stdio:/var/log/squid/access.log squid
cache_store_log stdio:/var/log/squid/store.log
httpd_suppress_version_string on
uri_whitespace strip
forwarded_for on
logfile_rotate 0
cache_mgr root@home.lan
error_directory /usr/local/etc/squid/errors/en-us
Was hier auffällt ist der fehlende SSL 3129 Port an 192.168.1.1 (LAN1 mein aktuelles non-VLAN) und 192.168.20.1 (LAN mit VLAN=20 soll LAN1 später ersetzen). Ich hoffe, ich habe alle relevanten Screenshots gemacht.

[bob@afrinet.eu]

Hello,

I have the same configuration… and the same problem.
Maybe we could try not to use the forwarding proxy (aka transparent proxy).

I will try this and let you know if it solved the problem.

[bob@afrinet.eu]

No, It didn't solve anything removing the "transparent proxy"