[squid-users] ERR_ACCESS_DENIED when using transparent https proxy
CZ Huang
cunzhihuang at gmail.com
Sat Jun 30 04:54:44 UTC 2018
I used the following command to send requests (see details below) but got
"HTTP/1.1 403 Forbidden".
curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose
--proxy-insecure
I understand the error was caused by "CONNECT 10.192.197.200:3130 HTTP/1.1".
But curl did not send it so where did it come from?
If I change "https_port 10.192.197.200:3130 ssl-bump intercept" to
"https_port 10.192.197.200:3130" in the config file, then there is no error
(proxy does not take part in the 2nd SSL handshake anymore).
Please help me fix the errors. Thanks!
========================================================
2018/06/29 21:07:38.718 kid1| 11,2| client_side.cc(2372) parseHttpRequest:
HTTP Client local=10.192.197.200:3130 remote=172.18.78.222:53759 FD 10
flags=33
2018/06/29 21:07:38.718 kid1| 11,2| client_side.cc(2373) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT 10.192.197.200:3130 HTTP/1.1
Host: 10.192.197.200:3130
----------
---------
CONNECT www.online.citi.com:443 HTTP/1.1
Host: www.online.citi.com:443
User-Agent: curl/7.59.0
Proxy-Connection: Keep-Alive
----------
2018/06/29 21:07:38.718 kid1| 5,3| comm.cc(553) commSetConnTimeout:
local=10.192.197.200:3130 remote=172.18.78.222:53759 FD 10 flags=33 timeout
86400
2018/06/29 21:07:38.718 kid1| 23,3| url.cc(371) urlParse: urlParse: Split
URL '10.192.197.200:3130' into proto='', host='10.192.197.200', port='3130',
path=''
2018/06/29 21:07:38.718 kid1| 23,3| HttpRequest.h(82) SetHost:
HttpRequest::SetHost() given IP: 10.192.197.200
2018/06/29 21:07:38.718 kid1| 33,3| client_side.cc(891)
clientSetKeepaliveFlag: http_ver = HTTP/1.1
2018/06/29 21:07:38.718 kid1| 33,3| client_side.cc(892)
clientSetKeepaliveFlag: method = CONNECT
2018/06/29 21:07:38.718 kid1| 33,3| client_side.h(98) mayUseConnection: This
0x564037b7d2f8 marked 1
2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(130)
ClientRequestContext: 0x564037b80648 ClientRequestContext constructed
2018/06/29 21:07:38.719 kid1| 83,3| client_side_request.cc(1708) doCallouts:
Doing calloutContext->hostHeaderVerify()
2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(635)
hostHeaderVerify: validate host=10.192.197.200, port=3130, portStr=3130
2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(526)
hostHeaderIpVerify: validate IP 10.192.197.200:3130 possible from Host:
2018/06/29 21:07:38.719 kid1| 83,3| client_side_request.cc(1715) doCallouts:
Doing calloutContext->clientAccessCheck()
2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(70) preCheck:
0x564037b807f8 checking slow rules
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: Safe_ports
= 1
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked:
!Safe_ports = 0
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 0
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: CONNECT =
1
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: SSL_ports
= 0
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: !SSL_ports
= 1
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#2 = 1
2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1
2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(63) markFinished:
0x564037b807f8 answer DENIED for match
2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0x564037b807f8 answer=DENIED
2018/06/29 21:07:38.719 kid1| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT 10.192.197.200:3130 is DENIED;
last ACL checked: SSL_ports
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.27
Mime-Version: 1.0
Date: Sat, 30 Jun 2018 04:07:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3477
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from xxxxxxx
Via: 1.1 xxxxxxx (squid/3.5.27)
Connection: close
----------
========================================================
$ sudo iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 1738 packets, 191K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 1638 packets, 177K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 35154 packets, 2119K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 35154 packets, 2119K bytes)
pkts bytes target prot opt in out source
destination
========================================================
$ sudo squid -v
Squid Cache: Version 3.5.27
Service Name: squid
This binary uses OpenSSL 1.0.2g 1 Mar 2016. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--prefix=/usr' '--exec-prefix=/usr'
'--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-default-user=squid' '--enable-silent-rules'
'--enable-dependency-tracking' '--enable-icmp' '--enable-delay-pools'
'--enable-useragent-log' '--enable-esi' '--enable-follow-x-forwarded-for'
'--enable-auth' '--enable-ssl-crtd' '--disable-arch-native'
'--enable-linux-netfilter' '--with-openssl' --enable-ltdl-convenience
========================================================
$ sudo squid -k parse
2018/06/29 21:17:03| Startup: Initializing Authentication Schemes ...
2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'basic'
2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'digest'
2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'negotiate'
2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'ntlm'
2018/06/29 21:17:03| Startup: Initialized Authentication.
2018/06/29 21:17:03| Processing Configuration File: /etc/squid/squid.conf
(depth 0)
2018/06/29 21:17:03| Processing: acl localnet src 10.0.0.0/8 # RFC1918
possible internal network
2018/06/29 21:17:03| Processing: acl localnet src 172.16.0.0/12 # RFC1918
possible internal network
2018/06/29 21:17:03| Processing: acl localnet src 192.168.0.0/16 #
RFC1918 possible internal network
2018/06/29 21:17:03| Processing: acl localnet src fc00::/7 # RFC 4193
local private network range
2018/06/29 21:17:03| Processing: acl localnet src fe80::/10 # RFC 4291
link-local (directly plugged) machines
2018/06/29 21:17:03| Processing: acl SSL_ports port 443
2018/06/29 21:17:03| Processing: acl Safe_ports port 80 # http
2018/06/29 21:17:03| Processing: acl Safe_ports port 21 # ftp
2018/06/29 21:17:03| Processing: acl Safe_ports port 443 #
https
2018/06/29 21:17:03| Processing: acl Safe_ports port 70 # gopher
2018/06/29 21:17:03| Processing: acl Safe_ports port 210 #
wais
2018/06/29 21:17:03| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2018/06/29 21:17:03| Processing: acl Safe_ports port 280 #
http-mgmt
2018/06/29 21:17:03| Processing: acl Safe_ports port 488 #
gss-http
2018/06/29 21:17:03| Processing: acl Safe_ports port 591 #
filemaker
2018/06/29 21:17:03| Processing: acl Safe_ports port 777 #
multiling http
2018/06/29 21:17:03| Processing: acl CONNECT method CONNECT
2018/06/29 21:17:03| Processing: debug_options ALL,3
2018/06/29 21:17:03| Processing: http_access deny !Safe_ports
2018/06/29 21:17:03| Processing: http_access deny CONNECT !SSL_ports
2018/06/29 21:17:03| Processing: http_access allow localhost manager
2018/06/29 21:17:03| Processing: http_access deny manager
2018/06/29 21:17:03| Processing: http_access allow localnet
2018/06/29 21:17:03| Processing: http_access allow localhost
2018/06/29 21:17:03| Processing: http_access allow all
2018/06/29 21:17:03| Processing: http_port 3128
2018/06/29 21:17:03| Processing: http_port 10.192.197.200:3129 ssl-bump
cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
2018/06/29 21:17:03| Processing: https_port 10.192.197.200:3130 ssl-bump
intercept cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
2018/06/29 21:17:03| Starting Authentication on port 10.192.197.200:3130
2018/06/29 21:17:03| Disabling Authentication on port 10.192.197.200:3130
(interception enabled)
2018/06/29 21:17:03| Processing: acl step1 at_step SslBump1
2018/06/29 21:17:03| Processing: ssl_bump peek step1
2018/06/29 21:17:03| Processing: ssl_bump bump all
2018/06/29 21:17:03| Processing: ssl_bump stare all
2018/06/29 21:17:03| Processing: always_direct allow all
2018/06/29 21:17:03| Processing: coredump_dir /var/cache/squid
2018/06/29 21:17:03| Processing: refresh_pattern ^ftp: 1440 20%
10080
2018/06/29 21:17:03| Processing: refresh_pattern ^gopher: 1440 0%
1440
2018/06/29 21:17:03| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0%
0
2018/06/29 21:17:03| Processing: refresh_pattern . 0 20%
4320
2018/06/29 21:17:03| Initializing https proxy context
2018/06/29 21:17:03| Initializing http_port 10.192.197.200:3129 SSL context
2018/06/29 21:17:03| Using certificate in /etc/squid/ssl_cert/myCA.pem
2018/06/29 21:17:03| Initializing https_port 10.192.197.200:3130 SSL context
2018/06/29 21:17:03| Using certificate in /etc/squid/ssl_cert/myCA.pem
========================================================
$ curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose
--proxy-insecure
* STATE: INIT => CONNECT handle 0x6000579c0; line 1404 (connection #-5000)
* Rebuilt URL to: https://www.online.citi.com/
* Added connection 0. The cache now contains 1 members
* Trying 10.192.197.200...
* TCP_NODELAY set
* STATE: CONNECT => WAITCONNECT handle 0x6000579c0; line 1456 (connection
#0)
* Connected to 10.192.197.200 (10.192.197.200) port 3130 (#0)
* STATE: WAITCONNECT => WAITPROXYCONNECT handle 0x6000579c0; line 1566
(connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
* subject: CN=10.192.197.200
* start date: Jun 29 04:28:09 2018 GMT
* expire date: Jun 29 04:28:09 2019 GMT
* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
* SSL certificate verify result: self signed certificate in certificate
chain (19), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.online.citi.com:443
> CONNECT www.online.citi.com:443 HTTP/1.1
> Host: www.online.citi.com:443
> User-Agent: curl/7.59.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.5.27
< Mime-Version: 1.0
< Date: Sat, 30 Jun 2018 04:07:38 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3477
< X-Squid-Error: ERR_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from cxxxxx
< Via: 1.1 xxxxx (squid/3.5.27)
< Connection: close
<
* Marked for [closure]: proxy CONNECT failure
* Received HTTP code 403 from proxy after CONNECT
* CONNECT phase completed!
* multi_done
* Closing connection 0
* The cache now contains 0 members
curl: (56) Received HTTP code 403 from proxy after CONNECT
========================================================
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list