[squid-users] SSL Bump Issue

Ali Jawad alijawad1 at gmail.com
Fri Mar 4 09:01:18 UTC 2016 

Actually, now that I am using 3.15 it seems I get the error for port 80 ->
3128 intercepts again

TCP_MISS/503 4274 GET http://www.whereIwantToVisit.net/ - ORIGINAL_DST/
162.220.244.7 text/html

On Fri, Mar 4, 2016 at 10:35 AM, Ali Jawad <alijawad1 at gmail.com> wrote:

> Hi Amos
>
> Thanks for your input, I did recompile
>
> See :
>
> Squid Cache: Version 3.5.15-20160302-r14000
>
> Service Name: squid
>
> configure options:  '--prefix=/squid' '--includedir=/squid/usr/include'
> '--enable-ssl-crtd' '--datadir=/squid/usr/share' '--bindir=/squid/usr/sbin'
> '--libexecdir=/squid/usr/lib/squid' '--localstatedir=/squid/var'
> '--sysconfdir=/squid/etc/squid' '--enable-arp-acl'
> '--enable-follow-x-forwarded-for' '--enable-auth'
> '--enable-auth-basic=DB,LDAP,NCSA,PAM,RADIUS,SASL,SMB,getpwnam'
> '--enable-auth-ntlm=smb_lm,fake'
> '--enable-auth-digest=file,LDAP,eDirectory'
> '--enable-auth-negotiate=kerberos'
> '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group'
> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
> '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
> '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid'
> '--with-filedescriptors=64000' '--with-dl' '--with-openssl'
> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
> 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
> '--enable-ltdl-convenience' '--disable-ipv6'
>
>
> Yes the IP in question is my squid IP, I am still getting the same error,
> it is as if squid sends traffic to itself
>
> Only difference is that I see this in access log now
>
> 1457080684.426      0 84.208.223.203 TAG_NONE/200 0 CONNECT
> 162.220.xx.xx:443 - ORIGINAL_DST/162.220.xx.xx -
>
> Not sure if this means anything .
>
>
> Regards
>
> On Fri, Mar 4, 2016 at 6:39 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 4/03/2016 11:57 a.m., Ali Jawad wrote:
>> > Hi
>> > I am using Squid
>> >
>> > [root at kgoDcyTx9 squid]# /squid/sbin/squid  -v
>> >
>> > Squid Cache: Version 3.4.9
>>
>>
>> When using SSL-Bump functionality first port of call is to ensure you
>> are using the latest release.
>>
>> Today that is 3.5.15 (though I recommend the snapshot tarball instead of
>> the main one). Or 4.0.7 beta.
>>
>>
>> >
>> > Config Options
>> >
>> >
>> > https_port 3129 intercept ssl-bump generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem
>> > key=/squid/etc/squid/ssl_cert/myca.pem
>> >
>> >
>> <snip outdated settings>
>>
>> >
>> > Iptables Rule
>> >
>> > iptables -t nat -A PREROUTING -p tcp  --dport 443 --destination
>> > 162.220.xx.xx -j REDIRECT --to-ports 3129
>> >
>>
>> So what happens to the Squid traffic going to port 443 ?
>>
>> >
>> > The problem :
>> >
>> > There are no certificate errors in the cache log and access log appears
>> to
>> > log the requested URL, the problem is that Squid shows the error below,
>> > from the looks of it Squid is trying to send the request to itself on
>> its
>> > own  IP, my assumption is that Squid is not able to detect the proper
>> > destination during bump "through a config fault of my own" or a missing
>>
>> The machine NAT system tells Squid what the destination is supposed to be.
>>
>> > step. Please advice :
>> >
>> > The following error was encountered while trying to retrieve the URL:
>> > ://162.220.xx.xx:443
>> > <https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443
>> >
>> >
>> > *Connection to 162.220.244.7 failed.*
>> >
>>
>> Is "162.220.244.7" your Squid IP?
>>
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/96a19b0e/attachment.html>

More information about the squid-users mailing list