[squid-users] peek-and-splice on Centos7 and squid4

Eliezer Croitoru eliezer at ngtech.co.il
Thu Oct 13 11:15:05 UTC 2016


May I ask if you are Intercepting the connections or in your setup you define/configure in the browserclient the proxy settings?

Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile+WhatsApp: +972-5-28704261
Email: eliezer at ngtech.co.il
On Tue, Oct 11, 2016 at 08:10 PM, - -  wrote:
Dear all,

currently I try to configure peek-and-splice on Centos7 and squid4. I have a
running config for Centos6.6 and squid 3.5.18.

No matter what I try i can't get squid4 to splice certain sites and to
bump/terminate the rest. My config is as follows:

acl sni_exclusions ssl::server_name .google.com
acl sni_exclusions ssl::server_name .google.de

acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2
ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all

if I replace the ssl_bump bump all with ssl_bump terminate all, all sites are
terminated, if I do a ssl_bump splice all, all https traffic is going through.

the log when a device connects to an allowed site looks is below, if I accept
the self generated certificate access the webpage is allowed. If i do the same
with a site not allowed i'll get redirected to the deny_info page after
accepting the certificate. So everything working as desired besides the
certificate warning for "spliced" websites. I'm using the squid4 build from
http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid_Beta_release (http://wiki.squid-cache.org/KnowledgeBase/CentOS#Squid_Beta_release).

Thanks in advance for any hint,
Alex

squid version:
squid -v
Squid Cache: Version 4.0.12
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
'--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-security-cert-generators' '--enable-security-cert-validators'
'--enable-icmp' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads'
'--with-included-ltdl' '--disable-arch-native' '--enable-ecap'
'--without-nettle' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches   -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience

cache.log:
2016/10/11 16:54:57.126 kid1| 33,5| client_side.cc(1367) parseHttpRequest:
Prepare absolute URL from intercept
2016/10/11 16:54:57.126 kid1| 33,5| client_side.cc(2150) clientParseRequests:
local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33: done parsing a
request
2016/10/11 16:54:57.126 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x2b008e0 add
request 1 0x2b06280*3
2016/10/11 16:54:57.126 kid1| 33,5| Http1Server.cc(181) buildHttpRequest:
normalize 1 Host header using 216.58.211.3:443
2016/10/11 16:54:57.126 kid1| 33,3| client_side.cc(643) clientSetKeepaliveFlag:
http_ver = HTTP/1.1
2016/10/11 16:54:57.126 kid1| 33,3| client_side.cc(644) clientSetKeepaliveFlag:
method = CONNECT
2016/10/11 16:54:57.126 kid1| 33,3| http/Stream.h(139) mayUseConnection: This
0x2b06280 marked 1
2016/10/11 16:54:57.127 kid1| 33,3| client_side.cc(2163) clientParseRequests:
Not parsing new requests, as this request may need the connection
2016/10/11 16:54:57.127 kid1| 33,5| client_side.cc(3113) switchToHttps:
converting local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33 to SSL
2016/10/11 16:54:57.127 kid1| 33,4| ServerBump.cc(27) ServerBump: will peek at
216.58.211.3:443
2016/10/11 16:54:57.127 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
ConnStateData::requestTimeout constructed, this=0x2b00b70 [call688]
2016/10/11 16:54:57.127 kid1| 33,4| Server.cc(90) readSomeData:
local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33: reading
request...
2016/10/11 16:54:57.127 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
Server::doClientRead constructed, this=0x2b00c00 [call689]
2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(93) ScheduleCall:
IoCallback.cc(135) will call Server::doClientRead(local=216.58.211.3:443
remote=10.248.0.8:59837 FD 25 flags=33, data=0x2b00898) [call689]
2016/10/11 16:54:57.131 kid1| 33,5| AsyncCallQueue.cc(55) fireNext: entering
Server::doClientRead(local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25
flags=33, data=0x2b00898)
2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(38) make: make call
Server::doClientRead [call689]
2016/10/11 16:54:57.131 kid1| 33,5| AsyncJob.cc(123) callStart: Http1::Server
status in: [ job31]
2016/10/11 16:54:57.131 kid1| 33,5| Server.cc(104) doClientRead:
local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33
2016/10/11 16:54:57.131 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
ConnStateData::requestTimeout constructed, this=0x2b04940 [call690]
2016/10/11 16:54:57.131 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2b008e0
front 0x2b06280*2
2016/10/11 16:54:57.131 kid1| 33,5| client_side.cc(3232)
httpsSslBumpStep2AccessCheckDone: Answer: ALLOWED kind:5
2016/10/11 16:54:57.131 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2b008e0
front 0x2b06280*3
2016/10/11 16:54:57.132 kid1| 33,5| client_side.cc(2577) httpsCreate: will
negotate SSL on local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25 flags=33
2016/10/11 16:54:57.132 kid1| 33,5| AsyncJob.cc(153) callEnd: Http1::Server
status out: [ job31]
2016/10/11 16:54:57.132 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving
Server::doClientRead(local=216.58.211.3:443 remote=10.248.0.8:59837 FD 25
flags=33, data=0x2b00898)
2016/10/11 16:54:57.182 kid1| 33,3| client_side.cc(4000) unpinConnection:
2016/10/11 16:54:57.182 kid1| 33,3| client_side.cc(3833) pinNewConnection:
local=10.4.38.62:26120 remote=216.58.211.3:443 FD 26 flags=1
2016/10/11 16:54:57.182 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall
ConnStateData::clientPinnedConnectionClosed constructed, this=0x2b3e750
[call704]
2016/10/11 16:54:57.182 kid1| 33,3| AsyncCall.cc(26) AsyncCall: The AsyncCall
ConnStateData::clientPinnedConnectionRead constructed, this=0x2b262b0 [call705]
2016/10/11 16:54:57.182 kid1| 33,5| client_side.cc(3361) httpsPeeked: bumped
HTTPS server: 216.58.211.3
2016/10/11 16:54:57.182 kid1| 33,3| Pipeline.cc(44) terminateAll: Pipeline
0x2b008e0 notify(0) 0x2b06280*3
2016/10/11 16:54:57.182 kid1| 33,3| Pipeline.cc(57) popMe: Pipeline 0x2b008e0
drop 0x2b06280*3
2016/10/11 16:54:57.183 kid1| 33,3| client_side_request.cc(270)
~ClientHttpRequest: httpRequestFree: 216.58.211.3:443
2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(383) logRequest: logging
half-baked transaction: 216.58.211.3:443
2016/10/11 16:54:57.183 kid1| 33,9| client_side.cc(387) logRequest:
clientLogRequest: al.url='216.58.211.3:443'
2016/10/11 16:54:57.183 kid1| 33,9| client_side.cc(397) logRequest:
clientLogRequest: http.code='200'
2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(3027) getSslContextStart:
Generating SSL certificate for www.google.de (http://www.google.de)
2016/10/11 16:54:57.183 kid1| 33,5| client_side.cc(3346) doPeekAndSpliceStep:
PeekAndSplice mode, proceed with client negotiation. Currrent state:SSLv2/v3
read client hello A
2016/10/11 16:54:57.183 kid1| Error negotiating SSL connection on FD 25:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(93) ScheduleCall: comm.cc(736)
will call ConnStateData::connStateClosed(FD -1, data=0x2b00898) [call685]
2016/10/11 16:54:57.209 kid1| 33,5| AsyncCallQueue.cc(55) fireNext: entering
ConnStateData::connStateClosed(FD -1, data=0x2b00898)
2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(38) make: make call
ConnStateData::connStateClosed [call685]
2016/10/11 16:54:57.209 kid1| 33,5| AsyncJob.cc(123) callStart: Http1::Server
status in: [ job31]
2016/10/11 16:54:57.209 kid1| 33,2| client_side.cc(586) swanSong:
local=216.58.211.3:443 remote=10.248.0.8:59837 flags=33
2016/10/11 16:54:57.209 kid1| 33,3| client_side.cc(4000) unpinConnection:
local=10.4.38.62:26120 remote=216.58.211.3:443 FD 26 flags=1
2016/10/11 16:54:57.209 kid1| 33,5| AsyncCall.cc(56) cancel: will not call
ConnStateData::clientPinnedConnectionClosed [call704] because
comm_remove_close_handler
2016/10/11 16:54:57.209 kid1| 33,3| AsyncCall.cc(56) cancel: will not call
ConnStateData::clientPinnedConnectionRead [call705] because comm_read_cancel
2016/10/11 16:54:57.209 kid1| 33,3| AsyncCall.cc(56) cancel: will not call
ConnStateData::clientPinnedConnectionRead [call705] also because
comm_read_cancel
2016/10/11 16:54:57.209 kid1| 33,3| client_side.cc(614) ~ConnStateData:
local=216.58.211.3:443 remote=10.248.0.8:59837 flags=33
2016/10/11 16:54:57.209 kid1| 33,4| ServerBump.cc(46) ~ServerBump: destroying
2016/10/11 16:54:57.209 kid1| 33,4| ServerBump.cc(48) ~ServerBump:
e:=sp2XDIV/0x2b04270*1
2016/10/11 16:54:57.209 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving
ConnStateData::connStateClosed(FD -1, data=0x2b00898)
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org (mailto:squid-users at lists.squid-cache.org)
http://lists.squid-cache.org/listinfo/squid-users (http://lists.squid-cache.org/listinfo/squid-users)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161013/13caab68/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 29577 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161013/13caab68/attachment-0001.png>


More information about the squid-users mailing list