[squid-users] SSL Bump Issue

Ali Jawad alijawad1 at gmail.com
Thu Mar 3 23:47:00 UTC 2016 

I did run in debug mode and when the request is done I can see

2016/03/03 18:43:13.784 kid1| Address.cc(378) lookupHostIP: Given Non-IP '
requested.URL.com': Name or service not known

I am using 8.8.8.8 in resolv.conf "public hostname not internal " and I can
ping the URL that should be instead of  requested.URL.com just fine from
command line . I can also visit that URL in browser when using the
transparent proxy in HTTP mode.

On Fri, Mar 4, 2016 at 12:57 AM, Ali Jawad <alijawad1 at gmail.com> wrote:

> Hi
> I am using Squid
>
> [root at kgoDcyTx9 squid]# /squid/sbin/squid  -v
>
> Squid Cache: Version 3.4.9
>
> configure options:  '--prefix=/squid' '--includedir=/squid/usr/include'
> '--enable-ssl-crtd' '--datadir=/squid/usr/share' '--bindir=/squid/usr/sbin'
> '--libexecdir=/squid/usr/lib/squid' '--localstatedir=/squid/var'
> '--sysconfdir=/squid/etc/squid' '--enable-arp-acl'
> '--enable-follow-x-forwarded-for' '--enable-auth'
> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
> '--enable-auth-ntlm=smb_lm,fake'
> '--enable-auth-digest=file,LDAP,eDirectory'
> '--enable-auth-negotiate=kerberos'
> '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group'
> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
> '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
> '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid'
> '--with-filedescriptors=64000' '--with-dl' '--with-openssl'
> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
> 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
> '--enable-ltdl-convenience' '--disable-ipv6'
>
>
> Config Options
>
>
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem
> key=/squid/etc/squid/ssl_cert/myca.pem
>
>
> #always_direct allow all
>
> ssl_bump server-first all
>
> sslproxy_cert_error allow all
>
> sslproxy_flags DONT_VERIFY_PEER
>
> #sslproxy_cert_error deny all
>
> #sslproxy_flags DONT_VERIFY_PEER
>
>
> sslcrtd_program /squid/usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> sslcrtd_children 8 startup=1 idle=1
>
>
> Iptables Rule
>
> iptables -t nat -A PREROUTING -p tcp  --dport 443 --destination
> 162.220.xx.xx -j REDIRECT --to-ports 3129
>
>
> The problem :
>
> There are no certificate errors in the cache log and access log appears to
> log the requested URL, the problem is that Squid shows the error below,
> from the looks of it Squid is trying to send the request to itself on its
> own  IP, my assumption is that Squid is not able to detect the proper
> destination during bump "through a config fault of my own" or a missing
> step. Please advice :
>
> The following error was encountered while trying to retrieve the URL:
> ://162.220.xx.xx:443
> <https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443>
>
> *Connection to 162.220.244.7 failed.*
>
> The system returned: *(111) Connection refused*
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/353ee139/attachment.html>

More information about the squid-users mailing list