[squid-users] Trusted CA Certificate with ssl_bump

Patrick Chemla patrick.chemla at performance-managers.com
Thu Nov 17 17:48:36 UTC 2016 

Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

======================================
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com 
cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key

cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS 
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
name=SEMP2

acl w3_semplixxxx dstdomain .semplixxxx.com
cache_peer_access SEMP1 allow w3_semplixxxx
cache_peer_access SEMP1 deny all

http_access allow w3_semplixxxx

=====================================

$ wget https://www.semplixxxx.com
--2016-11-17 19:34:49--  https://www.semplixxxx.com/
Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com 
(www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Same error with the browser
=========================================
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE 
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE

===========================================
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: 
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: 
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
id=0xf55ca8ed404 found interface virbr0
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: 
id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) 
clientProcessRequest: clientProcessRequest: Invalid Request
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: 
local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 
0x78737acd23c0 checking fast ACLs
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
access_log daemon:/var/log/squid/access.log
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
(access_log daemon:/var/log/squid/access.log line)
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
(access_log daemon:/var/log/squid/access.log line) = 1
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
access_log daemon:/var/log/squid/access.log = 1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished: 
0x78737acd23c0 answer ALLOWED for match
2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66) 
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520

Thanks for help
Patrick

Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
> Many Thanks Alex. I will try in the next hours and let you if I am 
> successful.
>
> Patrick
>
>
> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>
>> On 16/11/16 17:33, Patrick Chemla wrote:
>>> Thanks for your answers, I am not doing anything illegal, I am 
>>> trying to
>>> build a performant platform.
>>>
>>> I have a big server running about 10 different websites.
>>>
>>> I have on this server virtual machines, each specialized for one-some
>>> websites, and squid help me to send the traffic to the destination
>>> website on the internal VM according to the URL.
>>>
>>> Some VMs are paired, so squid will loadbalance the traffic on group of
>>> VMs according to the URL/acls.
>>>
>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>
>>> Now, I need to set SSL traffic, and because the domains are different I
>>> need to use different IPs:443 to be able to use different certificates.
>>>
>>> I tried many times in the past to make squid working in SSL and never
>>> succeed because of so many options, and this question: Does the traffic
>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>> nothing illegal.
>>>
>>> The second question: How to set up the SSL link on squid getting the 
>>> SSL
>>> request and sending to the backend. Actually the backend can handle SSL
>>> traffic, it's OK for me if I find the way to make squid handle the
>>> traffic, according to the acls. squid must decrypt the request, compute
>>> the acls, then re-crypt to send to the backend.
>>>
>>> The reason I asked not to reencrypt is because of performances. All 
>>> this
>>> is on the same server, from the host to the VMs and decrypt, the
>>> reencrypt, then decrypt will be ressources consumming. But I can do it
>>> like that.
>>>
>>> Now, do you have any Howto, clear, that will help? I found many on
>>> Google and not any gave me the solution working.
>>>
>>> The other question is about Trusted Certificates. We have on the
>>> websites trusted certificates. Should we use the same on the squid?
>>>
>>> Thanks for appeciate help
>>>
>>> Patrick
>>>
>>>
>> You are using a reverse proxy/web accelerator setup. Nothing you do
>> there will be illegal if you're using it for your own servers! You
>> should be able to use HTTP to the backend and just offer HTTPS from
>> squid. This will avoid loading the backend with encryption cycles. You
>> don't need any certificate generation as AFAIK you already have all the
>> certs you need.
>>
>> See:
>>
>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>
>> for starters. You can adapt the wildcard example; if you have specific
>> certs for each domain, just listen on a different IP for each domain and
>> set up multiple https_port with a different listening IP for each site.
>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>
>> Here's a couple more:
>>
>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 
>>
>>
>> (I found the above with a simple google for "squid reverse ssl proxy".
>> Google is your friend here... )
>>
>> http://www.squid-cache.org/Doc/config/https_port/
>>
>> That's as far as my knowledge goes on reverse in Squid, at my site we
>> use nginx.But AFAIK if you're doing what I think you're doing that
>> should be enough. Squid does have a lot of config parameters, but then
>> so does any other fully capable proxy server. Just focus on the parts
>> you need for your role and it will be much easier. Specifically ignore
>> bump/peek+splice, it's just for forward proxy.
>>
>> Alex
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list