[squid-users] SSL Bump Issue

Ali Jawad alijawad1 at gmail.com
Fri Mar 4 08:35:38 UTC 2016 

Hi Amos

Thanks for your input, I did recompile

See :

Squid Cache: Version 3.5.15-20160302-r14000

Service Name: squid

configure options:  '--prefix=/squid' '--includedir=/squid/usr/include'
'--enable-ssl-crtd' '--datadir=/squid/usr/share' '--bindir=/squid/usr/sbin'
'--libexecdir=/squid/usr/lib/squid' '--localstatedir=/squid/var'
'--sysconfdir=/squid/etc/squid' '--enable-arp-acl'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,PAM,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
'--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
'--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=64000' '--with-dl' '--with-openssl'
'--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'--enable-ltdl-convenience' '--disable-ipv6'


Yes the IP in question is my squid IP, I am still getting the same error,
it is as if squid sends traffic to itself

Only difference is that I see this in access log now

1457080684.426      0 84.208.223.203 TAG_NONE/200 0 CONNECT
162.220.xx.xx:443 - ORIGINAL_DST/162.220.xx.xx -

Not sure if this means anything .


Regards

On Fri, Mar 4, 2016 at 6:39 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 4/03/2016 11:57 a.m., Ali Jawad wrote:
> > Hi
> > I am using Squid
> >
> > [root at kgoDcyTx9 squid]# /squid/sbin/squid  -v
> >
> > Squid Cache: Version 3.4.9
>
>
> When using SSL-Bump functionality first port of call is to ensure you
> are using the latest release.
>
> Today that is 3.5.15 (though I recommend the snapshot tarball instead of
> the main one). Or 4.0.7 beta.
>
>
> >
> > Config Options
> >
> >
> > https_port 3129 intercept ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem
> > key=/squid/etc/squid/ssl_cert/myca.pem
> >
> >
> <snip outdated settings>
>
> >
> > Iptables Rule
> >
> > iptables -t nat -A PREROUTING -p tcp  --dport 443 --destination
> > 162.220.xx.xx -j REDIRECT --to-ports 3129
> >
>
> So what happens to the Squid traffic going to port 443 ?
>
> >
> > The problem :
> >
> > There are no certificate errors in the cache log and access log appears
> to
> > log the requested URL, the problem is that Squid shows the error below,
> > from the looks of it Squid is trying to send the request to itself on its
> > own  IP, my assumption is that Squid is not able to detect the proper
> > destination during bump "through a config fault of my own" or a missing
>
> The machine NAT system tells Squid what the destination is supposed to be.
>
> > step. Please advice :
> >
> > The following error was encountered while trying to retrieve the URL:
> > ://162.220.xx.xx:443
> > <https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443>
> >
> > *Connection to 162.220.244.7 failed.*
> >
>
> Is "162.220.244.7" your Squid IP?
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/a2d061cd/attachment.html>

More information about the squid-users mailing list