[squid-users] Novice question on TPROXY and SSL-BUMP behavior

Nick Belnap nickb at itsou.com
Wed May 20 14:42:26 UTC 2015


I've been tasked with preventing a client's users from accessing consumer Gmail accounts while only accessing their corporate Google Apps accounts.  Google gives an overview here:  https://support.google.com/a/answer/1668854?hl=en.

So, I've setup Squid 3.54 on CentOS 7 with ssl-bump and dynamic certificates and "request_header_add".  When manually configuring proxy settings on my browser I get the desired result.  I also see TCP_MISS in the Squid access.log file -- here's a sample:

1432131282.366     85 192.168.6.134 TCP_MISS/200 521 GET https://mail.google.com/mail/images/cleardot.gif? - HIER_DIRECT/216.58.217.37 image/gif
1432131282.373     40 192.168.6.134 TCP_MISS/200 496 POST https://clients1.google.com/tbproxy/af/query? - HIER_DIRECT/216.58.217.46 text/xml
1432131286.863    109 192.168.6.134 TCP_MISS/200 1191 POST https://accounts.google.com/accountLoginInfoXhr - HIER_DIRECT/216.58.217.45 application/javascript
1432131286.930     41 192.168.6.134 TCP_MISS/200 501 POST https://clients1.google.com/tbproxy/af/query? - HIER_DIRECT/216.58.217.46 text/xml
1432131287.673  10190 192.168.6.134 TCP_TUNNEL/200 3888 CONNECT gmail.com:443 - HIER_DIRECT/216.58.217.37 -
1432131289.543     74 192.168.6.134 TCP_MISS/302 2930 POST https://accounts.google.com/ServiceLoginAuth - HIER_DIRECT/216.58.217.45 text/html
1432131289.690    140 192.168.6.134 TCP_MISS/302 2900 GET https://accounts.google.com/CheckCookie? - HIER_DIRECT/216.58.217.45 text/html
1432131289.828     82 192.168.6.134 TCP_MISS/302 891 GET https://mail.google.com/mail/? - HIER_DIRECT/216.58.217.37 text/html
1432131289.911     79 192.168.6.134 TCP_MISS/200 1884 GET https://accounts.google.com/b/0/DomainRestrictedNetwork? - HIER_DIRECT/216.58.217.45 text/html
1432131289.969     33 192.168.6.134 TCP_MISS/200 4353 GET https://www.google.com/intl/en/images/logos/accounts_logo.gif - HIER_DIRECT/216.58.217.36 image/gif

I'm trying to set up this single machine as a transparent bridge with Squid so that I can go throw it in between the LAN and the router/firewall and just have it intercept web traffic without having to reconfigure clients (Windows desktops wouldn't be a big deal but mobile devices would be a problem).  So, with that in mind I've got 2 NICs on the box and have configured it as a bridge.  I'm using ebtables to redirect traffic for port 80 and 443 up to iptables which then in turn redirects to Squid using TPROXY.  All this seems to work.  Here's my ebtables entries:

# inbound traffic
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 443 -j redirect --redirect-target DROP

# returning outbound traffic
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 443 -j redirect --redirect-target DROP

Here's my iptables entries:

## interface facing clients
CLIENT_IFACE=ens4
## interface facing Internet
INET_IFACE=enp1s0

#Setup DIVERT chain to mark packets:
iptables -t mangle -N DIVERT
#Use DIVERT to prevent existing connections going through TPROXY twice:
iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#DIVERT chain: mark packets and accept
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
#Mark all other (new) packets and use TPROXY to pass into Squid:
iptables  -t mangle -A PREROUTING -i $CLIENT_IFACE -p tcp --dport 80 -j TPROXY --on-ip 0.0.0.0 --on-port 3126 --tproxy-mark 0x1/0x1
iptables  -t mangle -A PREROUTING -i $INET_IFACE -p tcp --sport 80 -j MARK --set-mark 0x1/0x1
iptables  -t mangle -A PREROUTING -i $CLIENT_IFACE -p tcp --dport 443 -j TPROXY --on-ip 0.0.0.0 --on-port 3127 --tproxy-mark 0x1/0x1
iptables  -t mangle -A PREROUTING -i $INET_IFACE -p tcp --sport 443 -j MARK --set-mark 0x1/0x1

( I have Squid listening on 3126 for HTTP and TPROXY, 3127 for HTTPS, TPROXY and SSLBUMP, and 3128 for manual connections and SSLBUMP (see Squid config below).

I also have these entries among other things for TPROXY to work:

ip rule add fwmark 1/1 table 100
ip route add local 0.0.0.0/0 dev lo table 100

So, with all this in place, when I access the web without manually configuring my browsers proxy settings I am able to browse using this transparent redirect mode.  However, the sslbump does not seem to be working right in this mode and thus my Google "request_header_add" does not seem to be working.   Here's a sample of what I see in Squid's access.log when going to Gmail through the transparent redirection:

1432132109.580  16670 192.168.6.133 TCP_TUNNEL/200 4791 CONNECT 98.139.225.168:443 - ORIGINAL_DST/98.139.225.168 -
1432132109.581  19654 192.168.6.133 TCP_TUNNEL/200 6480 CONNECT 98.137.201.111:443 - ORIGINAL_DST/98.137.201.111 -
1432132109.582  19655 192.168.6.133 TCP_TUNNEL/200 6480 CONNECT 98.137.201.111:443 - ORIGINAL_DST/98.137.201.111 -
1432132109.582  16655 192.168.6.133 TCP_TUNNEL/200 2765 CONNECT 152.163.66.141:443 - ORIGINAL_DST/152.163.66.141 -
1432132109.582  19605 192.168.6.133 TCP_TUNNEL/200 6496 CONNECT 98.138.74.35:443 - ORIGINAL_DST/98.138.74.35 -
1432132109.582  19535 192.168.6.133 TCP_TUNNEL/200 3636 CONNECT 68.142.123.254:443 - ORIGINAL_DST/68.142.123.254 -
1432132109.583  19535 192.168.6.133 TCP_TUNNEL/200 3636 CONNECT 68.142.123.254:443 - ORIGINAL_DST/68.142.123.254 -
1432132109.583  19544 192.168.6.133 TCP_TUNNEL/200 4835 CONNECT 98.138.250.100:443 - ORIGINAL_DST/98.138.250.100 -
1432132109.583  19545 192.168.6.133 TCP_TUNNEL/200 4835 CONNECT 98.138.250.100:443 - ORIGINAL_DST/98.138.250.100 -
1432132119.593  12771 192.168.6.133 TCP_TUNNEL/200 3861 CONNECT 216.58.217.36:443 - ORIGINAL_DST/216.58.217.36 -

Here's my squid.conf file:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl Google dstdomain .google.com

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3126 tproxy
https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first Google
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
shutdown_lifetime 1 second

request_header_add X-GoogApps-Allowed-Domains "mydomain.com" Google

Being a novice at Squid and iptables I've done a lot of Googling to get this far but have hit the wall I think with this problem.  Can anyone see why the ssl-bump might not be working for tproxy connections?

What am I missing?


More information about the squid-users mailing list