[squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs
Test User
tuser6485 at gmail.com
Thu Feb 23 11:59:13 UTC 2017
Hi,
I am trying to setup HTTPS proxy using ssl-bump. I have followed
steps mentioned in:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Following is my squid.conf file:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/squidCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \
dhparams=/etc/squid/ssl_cert/dhparam.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
I get no errors while starting Squid. Following are the logs when Squid starts:
2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for
x86_64-pc-linux-gnu...
2017/02/23 09:59:53 kid1| Service Name: squid
2017/02/23 09:59:53 kid1| Process ID 26236
2017/02/23 09:59:53 kid1| Process Roles: worker
2017/02/23 09:59:53 kid1| With 65535 file descriptors available
2017/02/23 09:59:53 kid1| Initializing IP Cache...
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit:
idnsInit: attempt open DNS socket to: [::]
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit:
idnsInit: attempt open DNS socket to: 0.0.0.0
2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6
2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321)
idnsAddNameserver: idnsAddNameserver: Added nameserver #0
(172.31.0.2:53)
2017/02/23 09:59:53.756 kid1| Adding domain
ap-south-1.compute.internal from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350)
idnsAddPathComponent: idnsAddPathComponent: Added domain #0:
ap-south-1.compute.internal
2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32
'ssl_crtd' processes
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize:
urlInitialize: Initializing...
2017/02/23 09:59:53.779 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
2017/02/23 09:59:53.779 kid1| Store logging disabled
2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated
20164 objects
2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008
2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets
2017/02/23 09:59:53.779 kid1| Max Mem size: 262144 KB
2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB
2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection
2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/image.png'
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/page_white_text.png'
****several urlParse logs like above. Removing them to shorten the
email. Further logs below...****
2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons.
2017/02/23 09:59:53.815 kid1| HTCP Disabled.
2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25
2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0
2017/02/23 09:59:53.815 kid1| Adaptation support is off.
2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket
connections at local=[::]:3128 remote=[::] FD 22 flags=9
2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped
HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41
2017/02/23 09:59:53| pinger: Initialising ICMP pinger ...
2017/02/23 09:59:53| pinger: ICMP socket opened.
2017/02/23 09:59:53| pinger: ICMPv6 socket opened
2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects
I tested this setup by providing proxy details to Firefox. Firefox was
able to show HTTP websites but when I tried to open an HTTPS website I
got following error:
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD
7 flags=33
I googled this error and found this mail thread which had similar problems:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html
I found this link from the above thread. I modified the steps for
HTTPS from the below link:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
Now my sysctl.conf is:
net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
My iptables -t nat -L result:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- ec2-35-154-101-8.ap-south-1.compute.amazonaws.com
anywhere tcp dpt:https
DNAT tcp -- anywhere anywhere tcp
dpt:https to:35.154.101.8:3129
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Once this was done, I tried to hit HTTPS website from Firefox and now
I get connection timeout error. Nothing shows in syslog, access.log or
cache.log. Could you please help me resolve this.
Thanks.
More information about the squid-users
mailing list