[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Alex Rousskov rousskov at measurement-factory.com
Wed Jun 7 14:32:23 UTC 2017 

On 06/07/2017 03:37 AM, Jason Chiu wrote:

> 1495699856.074      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129

> *Need to adjust which part of the settings?*

If that connection is really trying to connect to 127.0.0.1:3129 from
Squid point of view, then your interception setup is probably deficient.
Intercepted to-port 443 connections should be seen by Squid as going to
port 443 (while being received at Squid port 3129). Interception is not
(or should not be) just port redirection. This has nothing to do with
Squid configuration though.

Once you fix interception (or if you refuse to fix it), if Squid is
denying access, then you should adjust your http_access rules. Your
rules must allow fake CONNECT request that represent intercepted HTTPS
connections. For example, the above TCP_DENIED line is probably logged
because your current interception setup triggers this (correct) rule:

> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports


And yes, it might have "worked" in the past because earlier Squids were
doing fewer checks that they should be doing.

Alex.


> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/squid/cache/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> #http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump bump all
> 
> # sslcrtd
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
> 10MB
> sslcrtd_children 5
> 
> # sslproxy setting
> sslproxy_capath /var/squid/ssl_db/certs
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
> #sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cert_error allow all
> sslproxy_cert_adapt setValidAfter all
> 
> sslproxy_flags DONT_VERIFY_PEER
> 
> ----------------------------------------
> pf.conf
> ---------------------------------------
> #internal interface
> int_if = '{em1}'
> 
> # Normalization: reassemble fragments resolve or reduce traffic ambiguities.
> scrub in all
> set skip on lo0
> 
> #sslTP rdr setting
> rdr_from = 'any'
> rdr_to = 'any;
> rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 ->
> 127.0.0.1 port 3129
> pass in all no state
> pass out all no state
> pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any
> keep state
> 
> 
> 
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list