[squid-users] Transparent proxy with Peek and Splice feature.

Vadim Rogoziansky vrogoziansky.squid at gmail.com
Tue Nov 25 18:22:07 UTC 2014 

Hello All.

My goal is to do ssl bumping in transparent proxy mode with domain 
exclude possibility.
Let me tell you about squid's strange behaviour when I'm trying to do it.

In browsers it says something like this:
/This server could not prove that it is www.ukr.net; its security 
certificate is from212.42.76.253. This may be caused by a 
misconfiguration or an attacker intercepting your connection.//
//NET::ERR_CERT_COMMON_NAME_INVALID//
//Subject: 212.42.76.253//
/
Looks like squid takes the CN from the certificate as IP address of the 
destination domain.
But, everything works smoothly when I use proxy in non transparent mode 
and put it to the browser directly . I can successfully bypass bad sites 
and do ssl bumping on others. There are no certificate errors except of 
some of them, you know)

My OS is /Centos 6.5 //2.6.32-358.6.2.el6.x86_64/
My squid's version:
//opt/squid/sbin/squid -v//
//Squid Cache: Version 3.5.0.2//
//Service Name: squid//
//configure options:  '--with-openssl' '--enable-linux-netfilter' 
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd' 
'--prefix=/opt/squid' '--enable-external-acl-helpers=none' 
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for' 
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2' 
'--enable-snmp' 
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience//
/
My iptables which is doing redirecting to internal squid ports: /
//Table: nat//
//Chain PREROUTING (policy ACCEPT)//
//num  target     prot opt source               destination//
//1    ACCEPT     tcp  --  0.0.0.0/0 192.168.0.121       tcp dpt:443 /* 
accept connection *///
//2    REDIRECT   tcp  --  192.168.0.0/24 0.0.0.0/0           tcp 
dpt:443 /* redirect */ redir ports 3132//
//3    ACCEPT     tcp  --  0.0.0.0/0 192.168.0.121       tcp dpt:80 /* 
accept connection *///
//4    REDIRECT   tcp  --  192.168.0.0/24 0.0.0.0/0           tcp dpt:80 
/* redirect */ redir ports 3131/

Here is my squid configuration file:
___________________________
visible_hostname local.local
always_direct allow all
dns_nameservers 8.8.8.8

acl step2 at_step SslBump2
ssl_bump stare step2 all
acl sslBumpDeniedDstDomain dstdomain ukr.net www.ukr.net
ssl_bump splice sslBumpDeniedDstDomain
ssl_bump bump all

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem

http_port 3131 transparent
https_port 3132 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem

http_access allow all

sslcrtd_program /opt/squid/libexec/ssl_crtd -s /opt/squid/var/ssl_db -M 4MB
sslcrtd_children 15

logformat logaccess  [%{%d/%b/%Y  %H:%M:%S}tl] %>a %Ss/%03>Hs %<st %rm 
%ru %un %Sh/%<A %mt
access_log daemon:/opt/squid/var/logs/access.log logaccess
______________________________________________________

Also, I've run squid like this *//opt/squid/sbin/squid -N -X -d 2/*  and 
got interesting strings like:
/2014/11/26 04:28:08.622| client_side.cc(3849) 
httpsSslBumpAccessCheckDone: sslBump needed 
for//*local=212.42.76.246:443*////*remote=192.168.0.122:63719*//FD 40 
flags=33 method 5/

Here, the local and remote IP addresses are switched (I checked such 
lines when went through the squid directly).

Please, tell me what can be wrong in configuration or squid.  I can 
provide you with any logs which you may need.
BTW, cache.log is clean.
________________
Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141125/0954f8d9/attachment.html>

More information about the squid-users mailing list