[squid-users] HTTPS sites specifics URL

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 8 03:40:52 UTC 2017 

On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:
> Hi Leonardo,
> 
> Thanks for your reply,I tried SSL Bump under client-first and
> server-first modes both didn't work, Squid version is 3.4.14 running
> under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
> 9 of the URL Parsing debug section to see if shows something useful , i
> 'll post here my squid.conf and debug output from cache.log, if you 
> have some suggestion tell me please.
> 
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: asndb
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: carp
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: userhash
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: sourcehash
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: server_list
> 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
> 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
> entering clientListenerConnectionOpened(local=172.17.198.19:3128
> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
> clientListenerConnectionOpened [call27542]
> 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
> connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
> leaving clientListenerConnectionOpened(local=172.17.198.19:3128
> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
> connection on FD 18
> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
> connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
> HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
> flags=1
> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
> HTTP Client REQUEST:
> ---------
> CONNECT www.sans.org:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
> Gecko/20100101 Firefox/45.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: www.sans.org:443
> Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=
> 
> 
> ----------
...
> 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
> 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)

... the "password" ACL works.

... the "jeca.tatu" ACL is redundant.

> 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
> clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
> last ACL checked: all

... the "restrito" ACL does not match "www.sans.org:443".

... the "deny all" blocks this CONNECT request.


> 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
> connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
> FD 9 flags=1 from SSL-bumped CONNECT

... Squid then goes on a bumps the request. But only so that it can
deliver the error message in a way which browsers will display.

> 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
> clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
> FD 9 (172.17.200.11:50974)
...
> 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
> sendStartOfMessage: HTTP Client REPLY:
> ---------
> HTTP/1.1 403 Forbidden
> Server: squid/3.4.12
> Mime-Version: 1.0
> Date: Tue, 06 Dec 2016 21:33:05 GMT
> Content-Type: text/html
> Content-Length: 3342
> X-Squid-Error: ERR_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> X-Cache: MISS from openbsd57vm01
> Via: 1.1 openbsd57vm01 (squid/3.4.12)
> Connection: close
> 
> #################################################################
> 
> my squid.conf
> 
...
> acl password proxy_auth REQUIRED
> acl jeca.tatu proxy_auth jeca.tatu
> acl restrito url_regex -i  "/etc/squid/acl/restrito"
> http_access allow password jeca.tatu restrito
> http_access deny all
> 
> http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
> cert=/etc/squid/pki/test.cert
> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> always_direct allow all

You dont need that "always_direct allow all". It was a workaround for a
3.1 bug which is long since fixed.

> ssl_bump client-first all

> sslproxy_cert_error allow all
> sslproxy_cert_error allow BadSite
> sslproxy_flags DONT_VERIFY_PEER

Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
partiularly for testing. You *want* to see what problems are when debugging.

Amos

More information about the squid-users mailing list