Установлен и настроен Squid в прозрачном режиме без подмены сертификатов. При работе через Squid не работает Google Play Market, в магазин приложений зайти можно но при запуске установки все останавливается на "ожидание скачивания". Также есть проблемы в работе сервиса YouTube со сматр ТВ, при запуске приложение выдает сообщение что нет подключения к интернету. Если нажать повторное подключение YouTube запускается. При этом PlayStore работает нормально. Пробовал разные версии Squid (3.5, 4.6, 4.9). Проблема остается.
Система Ubuntu Server 16.04.06
openssl-1.1.1d (пробовал 1.0.1)
В настоящее время установлен squid-4.9-20200102
Скомпилирован с опциями:
./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=/usr/include \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/usr/lib/squid \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--mandir=/usr/share/man \
--enable-inline \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=squid \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CPPFLAGS=-D_FORTIFY_SOURCE=2' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'Sduid.conf выглядит так:
acl localnet src 192.168.3.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# разрешающие и блокирующие правила
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet
http_access deny all
# dns сервер общий с клиентами
dns_nameservers 127.0.0.1
# параметры портов для Squid
http_port 3128 intercept
http_port 3130
https_port 3129 intercept ssl-bump connection-auth=off tls-cert=/usr/lib/squid/ssl_crtd/squidCA.pem
# параметры работы SSL соединения со Squid-ом. Направлять весь трафик сразу в интернет, без использования вышестоящих кешей.
# последние две разрешают соединение даже с ошибками проверки сертификата
always_direct allow all
sslproxy_cert_error allow all
# параметры доступа по протоколу HTTPS. Запрет terminate и разрешение splice
ssl_bump peek all
ssl_bump splice all
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
tls_outgoing_options options=ALL:NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TICKET
# другие параметры
coredump_dir /var/spool/squid
refresh_pattern ^ftp: &n... 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# Место хранения и размер дискового кэша
cache_dir ufs /var/spool/squid 40000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
# Обьем оперативной памяти, выделенной под кэширование
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 1024 KB
memory_replacement_policy lru
#Ротация логов осуществляется с помощью системной службы
logfile_rotate 0В чем может быть проблема?
Хоть логи бы показал.
> Хоть логи бы показал.При попытке установить приложение на андроид ТВ из Google Play получаю такие логи:
0 - TCP_DENIED/403 3528 GET http://x.ss2.us/x.cer - HIER_NONE/- text/html;charset=utf-8
1578576821.006 193 192.168.3.104 TCP_MISS/403 728 GET http://cdn.meta.ndmdhs.com/64/bravia_pp_version_info/list - ORIGINAL_DST/13.35.254.73 application/xml
1578576821.579 129 192.168.3.104 TCP_MISS/200 319 GET http://browserjs-legacy.core.cloud.vewd.com/update/sdk4/? - ORIGINAL_DST/34.245.90.100 application/json
1578576822.207 1957 192.168.3.104 TCP_TUNNEL/200 10797 CONNECT 52.88.24.111:443 - ORIGINAL_DST/52.88.24.111 -
1578576822.735 0 - TCP_DENIED/403 3606 GET http://crt.comodoca.com/COMODORSAAddTrustCA.crt - HIER_NONE/- text/html;charset=utf-8
1578576822.736 69 192.168.3.104 NONE/200 0 CONNECT 172.217.22.3:443 - ORIGINAL_DST/172.217.22.3 -
1578576823.570 63 192.168.3.104 NONE/200 0 CONNECT 172.217.16.142:443 - ORIGINAL_DST/172.217.16.142 -
1578576826.758 68 192.168.3.104 NONE/200 0 CONNECT 172.217.22.42:443 - ORIGINAL_DST/172.217.22.42 -
1578576827.276 494 192.168.3.104 TCP_TUNNEL/200 2500 CONNECT 104.18.4.210:443 - ORIGINAL_DST/104.18.4.210 -
1578576850.332 152 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576866.837 595 192.168.3.104 TCP_TUNNEL/200 1751 CONNECT 64.106.208.20:443 - ORIGINAL_DST/64.106.208.20 -
1578576869.383 620 192.168.3.104 TCP_TUNNEL/200 1916 CONNECT 64.106.208.20:443 - ORIGINAL_DST/64.106.208.20 -
1578576870.029 592 192.168.3.104 TCP_TUNNEL/200 1751 CONNECT 64.106.208.20:443 - ORIGINAL_DST/64.106.208.20 -
1578576870.690 630 192.168.3.104 TCP_TUNNEL/200 6108 CONNECT 64.106.208.20:443 - ORIGINAL_DST/64.106.208.20 -
1578576871.856 602 192.168.3.104 TCP_TUNNEL/200 1916 CONNECT 64.106.208.20:443 - ORIGINAL_DST/64.106.208.20 -
1578576874.086 64 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576874.088 80 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576874.099 73 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576874.192 64 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576874.198 58 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576874.228 68 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.454 64 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.467 63 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.483 66 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.551 60 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.559 62 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576883.575 65 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578576892.313 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576893.433 68 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576893.570 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576896.401 62 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576896.495 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576898.362 66 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576898.458 61 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576901.404 65 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576901.502 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576901.639 81327 192.168.3.104 TCP_TUNNEL/200 6597 CONNECT 31.13.92.10:443 - ORIGINAL_DST/31.13.92.10 -
1578576904.085 66413 192.168.3.104 TCP_TUNNEL/200 6118 CONNECT 35.166.27.22:443 - ORIGINAL_DST/35.166.27.22 -
1578576911.524 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576911.615 65 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576914.784 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576914.828 62 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576914.915 60 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576917.744 65 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576917.829 62 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576919.389 61 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576919.483 62 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576920.237 61 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576920.334 60 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576921.431 70 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576923.430 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576924.535 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576926.517 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576928.330 65 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576928.410 59 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576930.957 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576931.040 59 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576931.188 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576931.300 63 192.168.3.104 NONE/200 0 CONNECT 172.217.23.176:443 - ORIGINAL_DST/172.217.23.176 -
1578576950.586 63 192.168.3.104 NONE/200 0 CONNECT 216.58.205.234:443 - ORIGINAL_DST/216.58.205.234 -
1578576950.690 63 192.168.3.104 NONE/200 0 CONNECT 216.58.205.234:443 - ORIGINAL_DST/216.58.205.234 -
1578576966.839 72 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576966.934 60 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576967.039 66 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576967.549 0 - TCP_DENIED/403 3567 GET http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
1578576967.550 103 192.168.3.104 NONE/200 0 CONNECT 178.154.131.216:443 - ORIGINAL_DST/178.154.131.216 -
1578576970.167 65 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578576977.853 0 - TCP_DENIED/403 3567 GET http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
1578576991.242 13483 192.168.3.104 TCP_TUNNEL/200 6483 CONNECT 77.88.21.207:443 - ORIGINAL_DST/77.88.21.207 -
1578576997.772 0 - TCP_DENIED/403 3606 GET http://crt.comodoca.com/COMODORSAAddTrustCA.crt - HIER_NONE/- text/html;charset=utf-8
1578576997.773 85 192.168.3.104 NONE/200 0 CONNECT 172.217.22.35:443 - ORIGINAL_DST/172.217.22.35 -
1578576997.803 0 - TCP_DENIED/403 3567 GET http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
1578576997.804 91 192.168.3.104 NONE/200 0 CONNECT 178.154.131.216:443 - ORIGINAL_DST/178.154.131.216 -
1578576997.960 0 - TCP_DENIED/403 3567 GET http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8
1578576997.961 98 192.168.3.104 NONE/200 0 CONNECT 178.154.131.216:443 - ORIGINAL_DST/178.154.131.216 -
1578577017.647 135297 192.168.3.104 TCP_TUNNEL/200 7895 CONNECT 100.21.50.135:443 - ORIGINAL_DST/100.21.50.135 -
1578577025.648 68 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577025.650 69 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577025.651 76 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577025.745 62 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577025.761 61 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577025.784 71 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.118 68 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.125 65 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.127 60 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.208 60 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.221 62 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577026.232 60 192.168.3.104 NONE/200 0 CONNECT 172.217.22.118:443 - ORIGINAL_DST/172.217.22.118 -
1578577029.989 1684 192.168.3.104 TCP_TUNNEL/200 5450 CONNECT 17.248.147.12:443 - ORIGINAL_DST/17.248.147.12 -
1578577031.737 3387 192.168.3.104 TCP_TUNNEL/200 5466 CONNECT 17.248.147.176:443 - ORIGINAL_DST/17.248.147.176 -
1578577035.834 68 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578577036.009 58 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578577036.954 160278 192.168.3.104 TCP_TUNNEL_ABORTED/200 3632 CONNECT 172.217.16.202:443 - ORIGINAL_DST/172.217.16.202 -
1578577039.122 64 192.168.3.104 NONE/200 0 CONNECT 172.217.23.99:443 - ORIGINAL_DST/172.217.23.99 -
1578577040.828 12692 192.168.3.104 TCP_TUNNEL_ABORTED/200 7976 CONNECT 88.221.214.65:443 - ORIGINAL_DST/88.221.214.65 -
1578577047.496 2750 192.168.3.104 TCP_TUNNEL_ABORTED/200 7950 CONNECT 104.89.34.209:443 - ORIGINAL_DST/104.89.34.209 -
1578577047.496 4152 192.168.3.104 TCP_TUNNEL_ABORTED/200 33472 CONNECT 104.89.34.209:443 - ORIGINAL_DST/104.89.34.209 -
>0 - TCP_DENIED/403 3606 GET http://crt.comodoca.com/COMODORSAAddTrustCA.crt -
>0 - TCP_DENIED/403 3567 GET http://repository.certum.pl/ca.cer - HIER_NONE/- text/html;charset=utf-8Сквид бреет доступ к сайтам издателей сертификатов. Судя по всему конфиг приведен не полностью, потому сам ищи аксели запретов в нем. Для начала лучше разрешить всё, а потом уже начинать запрещать.