[squid-users] Behind enemy lines (squid behind proxy)

doc.holliday at usa.com doc.holliday at usa.com
Thu Nov 6 01:43:12 UTC 2014 

[plain text version; sorry for the inconvenience]

I've searched through the internets and tried various things... to no avail. Hopefully someone here can point me in the right direction.
 
I am sitting behind a proxy, which accepts http/https. Everything else is blocked. If I instruct my browser to use this proxy,
everything works dandy. Both http and https.
 
The problem is, I have a few apps that don't have an option to set proxy. So, my idea was to set up squid on the local machine
that would transparently redirect http/https to the proxy. Eg something like this:
 
[ local_box: app (http or https) ---> squid ]   ----->   [ the_proxy ]   ----->   ...   ----->   [ internets ]
 
I have no control of the proxy, nor do I know what goes on after it.
 
I have the following iptables rules:

*nat
:PREROUTING ACCEPT [1:89]
:INPUT ACCEPT [1:89]
:OUTPUT ACCEPT [549:34321]
:POSTROUTING ACCEPT [624:38821]
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
COMMIT
 
And my squid.conf is mostly garden variety:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
 
cache deny all
 
cache_peer proxy parent 3128 0 no-query no-digest default
never_direct allow all
 
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/etc/ssl/squid/cert.pem key=/etc/ssl/squid/key.pem
 
I've generated the certs and ran ssl_crtd to init ssl db dirs.
 
To verify squid is working, I've changed my browser proxy settings to 127.0.0.1:3128 for http and https.
Everything works like a charm.
 
This is where the "fun" begins:
 
==========
Without the proxy settings http also works just fine -- in both the browser and wget command. Https on the other hand is fubar.
In the browser I get "Unsupported Request Method and Protocol" error (after accepting the "invalid" certificate).
With wget I get:

local_box [~] wget https://google.com --no-check-certificate
--2014-11-05 20:21:12--  https://google.com/[https://google.com/]
Resolving google.com... 74.125.196.138, 74.125.196.139, 74.125.196.101, ...
Connecting to google.com|74.125.196.138|:443... connected.
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:
  Self-signed certificate encountered.
    WARNING: certificate common name ‘’ doesn't match requested host name ‘google.com’.
HTTP request sent, awaiting response... 501 Not Implemented
2014-11-05 20:21:12 ERROR 501: Not Implemented.
 

access.log says:
1415236731.852     19 10.0.0.13 TCP_MISS/501 4255 GET https://www.google.com/[https://www.google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html
 
==========
If I add 'ssl_bump server-first all' to squid.conf. Whenever I try to pull up an https page, it barfs with:

2014/11/05 20:22:28| assertion failed: forward.cc:785: "peer->use_ssl"
Aborted
 
==========
If I change it to 'ssl_bump client-first all', I get "Unable to forward this request at this time" in the browser.
And wget says:

local_box [~] wget https://google.com[https://google.com] --no-check-certificate
--2014-11-05 20:26:53--  https://google.com/[https://google.com/]
Resolving google.com... 74.125.196.101, 74.125.196.100, 74.125.196.139, ...
Connecting to google.com|74.125.196.101|:443... connected.
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:
  Self-signed certificate encountered.
    WARNING: certificate common name ‘74.125.196.101’ doesn't match requested host name ‘google.com’.
HTTP request sent, awaiting response... 503 Service Unavailable
2014-11-05 20:26:53 ERROR 503: Service Unavailable.
 
access.log says:
1415237271.133      0 10.0.0.13 TCP_MISS/503 3840 GET https://google.com/[https://google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html
 
==========
And so after endless searching and searching and trying various things I came here. Could please help me figure out why it is not working?
 
Thank you.
 
-D

More information about the squid-users mailing list