[squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

Eliezer Croitoru eliezer at ngtech.co.il
Sun Feb 26 05:10:16 UTC 2017 

Hey Michael,

You will need to clear out couple things for us.
First we will need one of the next ouputs or both:
iptables-save
iptables -L -nv

And then clear out where is this proxy sittings and the network structure.
It's not clear if the squid box is the router or a machine somewhere on AWS.
If you wish to pass traffic from a local router to a one on AWS you will need to create a tunnel like using OpenVPN or a similar solution and to use some routing rules to pass the traffic from the local LAN to AWS without removing the original destination address.

When more details on the setup will be available it will be much simpler to understand what is the root for some of the issues you are having.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Test User
Sent: Friday, February 24, 2017 8:52 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

Hi,
Sorry I am asking this question again. I am trying to setup HTTPS
proxy using ssl-bump. I have followed
steps mentioned in:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Following are Squid setup details:

Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid'
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--with-openssl'
'--enable-ssl-crtd' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'
'--enable-build-info=Ubuntu linux' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'


Following is my squid.conf file:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/squidCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \
dhparams=/etc/squid/ssl_cert/dhparam.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320


I get no errors while starting Squid. Following are the logs when Squid starts:

2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for
x86_64-pc-linux-gnu...
2017/02/23 09:59:53 kid1| Service Name: squid
2017/02/23 09:59:53 kid1| Process ID 26236
2017/02/23 09:59:53 kid1| Process Roles: worker
2017/02/23 09:59:53 kid1| With 65535 file descriptors available
2017/02/23 09:59:53 kid1| Initializing IP Cache...
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit:
idnsInit: attempt open DNS socket to: [::]
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit:
idnsInit: attempt open DNS socket to: 0.0.0.0
2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6
2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321)
idnsAddNameserver: idnsAddNameserver: Added nameserver #0
(172.31.0.2:53)
2017/02/23 09:59:53.756 kid1| Adding domain
ap-south-1.compute.internal from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350)
idnsAddPathComponent: idnsAddPathComponent: Added domain #0:
ap-south-1.compute.internal
2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32
'ssl_crtd' processes
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize:
urlInitialize: Initializing...
2017/02/23 09:59:53.779 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
2017/02/23 09:59:53.779 kid1| Store logging disabled
2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated
20164 objects
2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008
2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets
2017/02/23 09:59:53.779 kid1| Max Mem  size: 262144 KB
2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB
2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection
2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/image.png'
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/page_white_text.png'

****several urlParse logs like above. Removing them to shorten the
email. Further logs below...****

2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons.
2017/02/23 09:59:53.815 kid1| HTCP Disabled.
2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25
2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0
2017/02/23 09:59:53.815 kid1| Adaptation support is off.
2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket
connections at local=[::]:3128 remote=[::] FD 22 flags=9
2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped
HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41
2017/02/23 09:59:53| pinger: Initialising ICMP pinger ...
2017/02/23 09:59:53| pinger: ICMP socket opened.
2017/02/23 09:59:53| pinger: ICMPv6 socket opened
2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects



I tested this setup by providing proxy details to Firefox. Firefox was
able to show HTTP websites but when I tried to open an HTTPS website I
got following error:

2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD
7 flags=33

I googled this error and found this mail thread which had similar problems:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html

I found this link from the above thread. I modified the steps for
HTTPS from the below link:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Now my sysctl.conf is:

net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

My iptables -t nat -L result:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  ec2-35-154-101-8.ap-south-1.compute.amazonaws.com
anywhere             tcp dpt:https
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:https to:35.154.101.8:3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere


Once this was done, I tried to hit HTTPS website from Firefox and now
I get connection timeout error. Nothing shows in syslog, access.log or
cache.log. Could you please help me resolve this.

Thanks,
Michael
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list