[squid-users] Bridge/Tproxy: https dns

Pedro Correia Sardinha correiasardinha at gmail.com
Mon Aug 17 12:25:27 UTC 2015 

Hello,

I'm trying to setup a Squid server simple as possible just to review the
web use in office using the last stable version 3.5.7.

I setup the bridge with 2 NIC, br0 with IP 192.168.0.5 and I had disable
IPv6 on boot in my Slackware Current (Fri Aug 14 2015) server.

The script on the boot for Tproxy, routing, IPTables and EBTables:
echo 50 > /proc/sys/vm/swappiness
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables  -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables  -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5
--dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3130
CLIENT_IFACE=eth1
INET_IFACE=eth0
ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 \
        -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING \
        -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 \
        -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 443 \
        -j redirect --redirect-target DROP

I compiled squid from source:
./configure \
  --prefix=/usr \
  --libdir=/usr/lib64 \
  --libexecdir=/usr/lib64/squid \
  --sysconfdir=/etc/squid \
  --localstatedir=/var/log/squid \
  --sharedstatedir=/var/lib \
  --datadir=/usr/share/squid \
  --with-pidfile=/var/run/squid \
  --mandir=/usr/man \
  --with-logdir=/var/log/squid \
  --enable-silent-rules \
  --enable-dependency-tracking \
  --with-openssl=/usr/include/openssl/ \
  --enable-ssl \
  --enable-ssl-crtd \
  --enable-icmp \
  --enable-delay-pools \
  --enable-useragent-log \
  --enable-esi \
  --enable-follow-x-forwarded-for \
  --enable-linux-netfilter \
  --enable-forward-log \
  --enable-poll \
  --enable-referer-log \
  --with-default-user=squid \
  --enable-auto-locale \
  --disable-ipv6 \
  --build=X86_64-slackware-linux

Generating the certificate:
# openssl genrsa -out squid.key 2048
# openssl req -new -key squid.key -out squid.csr
# openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out
squid.crt
# cat squid.key squid.crt > squid.pem

My squid.conf:
acl localnet src 192.168.0.0/16
acl localhost src 192.168.0.5/32
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl ssl-bump_port myportname 3130
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet
http_access deny all
http_reply_access allow all
icp_access allow all
tcp_outgoing_address 85.138.204.43
dns_v4_first on
pinger_enable off
http_port 3128
http_port 3129 tproxy
https_port 3130 ssl-bump tproxy generate-host-certificates=off
cert=/etc/squid/ssl/squid.pem cafile=/etc/squid/ssl/squid.pem
always_direct allow ssl-bump_port
ssl_bump none all
dns_nameservers 8.8.8.8 8.8.4.4
access_log daemon:/var/log/squid/access.log squid
cache deny all
pid_filename /var/run/squid/squid.pid
coredump_dir /var/log/squid/cache/squid
visible_hostname myservername.domain.local

In general the configuration (squid.conf) it's working but has some
incomplete behaviors as shows in log files.

access.log (I know this is Facebook but there are no dns resolusion in
https, just IP):
1439811492.625   2377 192.168.0.102 TCP_TUNNEL/200 3574 CONNECT
31.13.90.2:443 - ORIGINAL_DST/31.13.90.2 -

cache.log:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=504747
Content-Type: application/ocsp-response
Date: Mon, 17 Aug 2015 11:38:03 GMT
ETag: "55d15943-1d7"
Expires: Sun, 23 Aug 2015 23:38:03 GMT
Last-Modified: Mon, 17 Aug 2015 03:47:15 GMT
Server: ECS (mad/439C)
X-Cache: HIT
Content-Length: 471
X-Cache: MISS from squidhead2.skywalker.local
Via: 1.1 squidhead2.skywalker.local (squid/3.5.7)
Connection: keep-alive
----------
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(222) doAccept: New connection
on FD 12
2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(297) acceptNext: connection on
local=0.0.0.0:3130 remote=[::] FD 12 flags=25
2015/08/17 12:38:10.248 kid1| client_side.cc(3890)
httpsSslBumpAccessCheckDone: sslBump not needed for local=31.13.90.2:443
remote=192.168.0.102 FD 50 flags=17
2015/08/17 12:38:10.248 kid1| client_side.cc(2337) parseHttpRequest: HTTP
Client local=31.13.90.2:443 remote=192.168.0.102 FD 50 flags=17
2015/08/17 12:38:10.248 kid1| client_side.cc(2338) parseHttpRequest: HTTP
Client REQUEST:
---------
CONNECT 31.13.90.2:443 HTTP/1.1
Host: 31.13.90.2:443
---------
2015/08/17 12:38:10.248 kid1| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last
ACL checked: localnet
2015/08/17 12:38:10.248 kid1| client_side_request.cc(717)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2015/08/17 12:38:10.248 kid1| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last
ACL checked: localnet
2015/08/17 12:38:10.248 kid1| peer_select.cc(280) peerSelectDnsPaths: Found
sources for '31.13.90.2:443'
2015/08/17 12:38:10.248 kid1| peer_select.cc(281) peerSelectDnsPaths:
always_direct = ALLOWED
2015/08/17 12:38:10.248 kid1| peer_select.cc(282) peerSelectDnsPaths:
 never_direct = DENIED
2015/08/17 12:38:10.248 kid1| peer_select.cc(288) peerSelectDnsPaths:
 ORIGINAL_DST = local=192.168.0.102 remote=31.13.90.2:443 flags=25
2015/08/17 12:38:10.248 kid1| peer_select.cc(295) peerSelectDnsPaths:
 timedout = 0
2015/08/17 12:38:12.621 kid1| client_side.cc(815) swanSong: local=
31.13.90.2:443 remote=192.168.0.102 flags=17
2015/08/17 12:38:12.625 kid1| client_side.cc(815) swanSong: local=
31.13.90.2:443 remote=192.168.0.102 flags=17


The logs with http (port 80) has the name resolution of navigation.

I disabled pinger because give some error:
2015/08/17 12:49:55.918 kid1| Pinger socket opened on FD 20
2015/08/17 12:49:55.920 kid1| IcmpSquid.cc(90) SendEcho: to 127.0.0.1,
opcode 1, len 9
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: netdb
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: asndb
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: carp
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: userhash
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: sourcehash
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: server_list
2015/08/17 12:49:55| pinger: Initialising ICMP pinger ...
2015/08/17 12:49:55|  icmp_sock: (1) Operation not permitted
2015/08/17 12:49:55| pinger: Unable to start ICMP pinger.
2015/08/17 12:49:55| FATAL: pinger: Unable to open any ICMP sockets.

This is my cache.log after reload squid:
2015/08/17 12:51:26| Set Current Directory to /var/log/squid/cache/squid
2015/08/17 12:51:27 kid1| Reconfiguring Squid Cache (version 3.5.7)...
2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3128
2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3129
2015/08/17 12:51:27 kid1| Closing HTTPS port 0.0.0.0:3130
2015/08/17 12:51:27 kid1| Closing Pinger socket on FD 20
2015/08/17 12:51:27.320 kid1| Gadgets.cc(99) authenticateReset: Reset
authentication State.
2015/08/17 12:51:27.320 kid1| Logfile: closing log
daemon:/var/log/squid/access.log
2015/08/17 12:51:27.320 kid1| Logfile Daemon: closing log
daemon:/var/log/squid/access.log
2015/08/17 12:51:27.320 kid1| Startup: Initializing Authentication Schemes
...
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme
'basic'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme
'digest'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme
'negotiate'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme
'ntlm'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication.
2015/08/17 12:51:27.320 kid1| RegexData.cc(303) aclParseRegexList:
aclParseRegexList: new Regex line or file
2015/08/17 12:51:27.320 kid1| RegexData.cc(194) compileOptimisedREs:
compileOptimisedREs: -i
2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs:
compileOptimisedREs: adding RE '^cache_object://'
2015/08/17 12:51:27.320 kid1| RegexData.cc(208) compileOptimisedREs:
compileOptimisedREs: +i
2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE:
compiled '(^cache_object://)' with flags 11
2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs:
compileOptimisedREs: adding RE '^https?://[^/]+/squid-internal-mgr/'
2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE:
compiled '(^https?://[^/]+/squid-internal-mgr/)' with flags 9
2015/08/17 12:51:27.320 kid1| RegexData.cc(261) compileOptimisedREs:
compileOptimisedREs: 2 REs are optimised into one RE.
2015/08/17 12:51:27.320 kid1| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3129
(TPROXY enabled)
2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3130
(TPROXY enabled)
2015/08/17 12:51:27.320 kid1| Initializing https proxy context
2015/08/17 12:51:27.320 kid1| Initializing https_port 0.0.0.0:3130 SSL
context
2015/08/17 12:51:27.320 kid1| Using certificate in /etc/squid/ssl/squid.pem
2015/08/17 12:51:27.330 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: config
2015/08/17 12:51:27.330 kid1| main.cc(803) mainReconfigureFinish: running
RegisteredRunner::syncConfig
2015/08/17 12:51:27.331 kid1| errorpage.cc(312) tryLoadTemplate: wildcard
fallback errors not coded yet.
2015/08/17 12:51:27.331 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2015/08/17 12:51:27.331 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2015/08/17 12:51:27.331 kid1| Squid plugin modules loaded: 0
2015/08/17 12:51:27.331 kid1| Adaptation support is off.
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0
message adaptation services
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0
message adaptation service groups
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0
message adaptation access rules
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: store_log_tags
2015/08/17 12:51:27.332 kid1| Store logging disabled
2015/08/17 12:51:27.332 kid1| dns_internal.cc(1534) dnsInit: idnsInit:
attempt open DNS socket to: 0.0.0.0
2015/08/17 12:51:27.332 kid1| DNS Socket created at 0.0.0.0, FD 11
2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.8.8 from squid.conf
2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.4.4 from squid.conf
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: idns
2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A
%un %>rm myip=%la myport=%lp'
2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A
%un %>rm myip=%la myport=%lp'
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: external_acl
2015/08/17 12:51:27.332 kid1| wccp.cc(112) wccpConnectionOpen: WCCPv1
disabled.
2015/08/17 12:51:27.332 kid1| wccp2.cc(960) wccp2ConnectionOpen: WCCPv2
Disabled. No IPv4 Router(s) configured.
2015/08/17 12:51:27.332 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
clientListenerConnectionOpened constructed, this=0x2a0ea40 [call62031]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call clientListenerConnectionOpened(local=
0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0)
[call62031]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
clientListenerConnectionOpened constructed, this=0x2a0eb50 [call62033]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call clientListenerConnectionOpened(local=
0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0)
[call62033]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall
clientListenerConnectionOpened constructed, this=0x2a0ec60 [call62035]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall:
StartListening.cc(59) will call clientListenerConnectionOpened(local=
0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket
port=0x2a0ecc0) [call62035]
2015/08/17 12:51:27.333 kid1| HTCP Disabled.
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: netdb
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: asndb
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: carp
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: userhash
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: sourcehash
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped
duplicate profile: server_list
2015/08/17 12:51:27.333 kid1| Finished loading MIME types and icons.
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12
flags=9, err=0, HTTP Socket port=0x2a0eaa0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call62031]
2015/08/17 12:51:27.343 kid1| Accepting HTTP Socket connections at local=
0.0.0.0:3128 remote=[::] FD 12 flags=9
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12
flags=9, err=0, HTTP Socket port=0x2a0eaa0)
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16
flags=25, err=0, HTTP Socket port=0x2a0ebb0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call62033]
2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted HTTP Socket
connections at local=0.0.0.0:3129 remote=[::] FD 16 flags=25
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16
flags=25, err=0, HTTP Socket port=0x2a0ebb0)
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering
clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20
flags=25, err=0, HTTPS Socket port=0x2a0ecc0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call
clientListenerConnectionOpened [call62035]
2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted SSL bumped HTTPS
Socket connections at local=0.0.0.0:3130 remote=[::] FD 20 flags=25
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving
clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20
flags=25, err=0, HTTPS Socket port=0x2a0ecc0)

Do I have to setup local DNS server? the internal DNS of squid can't handle
https in Tproxy?
What's missing to have name resolution in https traffic as its showed in
http traffic?

Thanks for your time helping me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150817/4da286c6/attachment-0001.html>

More information about the squid-users mailing list