[squid-users] HTTPS interception proxy having issues

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 11 12:00:23 UTC 2019 

On 11/12/19 3:48 am, aashutosh kalyankar wrote:
> 
> Hi! I am trying to set up a HTTPs intercept proxy but I cannot get it to
> work. Can someone point me in the right direction? 
> 
> I tried following the
> tutorial @ https://www.youtube.com/watch?v=Bogdplu_lsE (Transparent
> HTTP+HTTPS Proxy with Squid and iptables)  for squid file.
> and https://github.com/diladele/squid-ubuntu for building squid 3.5 on
> ubuntu. 
> 
> *squid.conf file *
> 
> acl clients src 172.16.10.0/24
> acl clients src 172.18.10.0/24
> 
> http_access allow localhost
> http_access allow clients
> http_access deny all
> http_port 8080
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_certs/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 
> # only wait 5 seconds to terminate active connections
> shutdown_lifetime 5
> ~                                
> 
> I am forced to use old 3.5 version of squid as I am running very old
> version of Vsphere supporting ubuntu 14.04 and below. 

Such things do not apply when building from source. You can build any
version which your build tools can handle. That should be any Squid-3.5
release, including the daily auto-generated code.



> *Squid Cache: Version 3.5.19 *
> Service Name: squid
> Ubuntu linux
> configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro
> -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man'
> '--enable-inline' '--disable-arch-native' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-icap-client'
> '--enable-follow-x-forwarded-for'
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
> '--enable-auth-digest=file,LDAP'
> '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-auth-ntlm=fake,smb_lm'
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
> '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
> '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
> '--disable-translation' '--with-swapdir=/var/spool/squid'
> '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--with-openssl' '--enable-ssl'
> '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux'
> '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
> -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE
> -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
> 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4
> -Wformat -Werror=format-security'
> 
> 
> *Firewall & Nat rules added *
> sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment
> --comment "squid http proxy"
> sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment
> --comment "squid https proxy"
> sudo iptables -A INPUT -j ACCEPT -p tcp  --dport 8080 -m comment
> -comment "squid http8080 proxy


Irrelevant unless you have a local policy of requiring these for any
port to receive traffic.

There should be mangle table PREROUTING chain rule(s) to DROP or REJECT
any packets headed to Squid intercept ports.


> 
>  sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m
> comment --comment "transparent http proxy" -j REDIRECT --to-ports 3128
>  sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -m
> comment --comment "transparent https proxy" -j REDIRECT --to-ports 3129
>  sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m
> comment --comment " http 8080 proxy" -j REDIRECT --to-ports 8080

You already REDIRECT port 80 to port 3128. This last rule will do nothing.

> 
> *CACHE.log*
> My machine ip: 172.16.10.5
> Squid server ip(vmware): 172.18.10.15
> 2019/12/09 19:42:00.677 kid1| SECURITY ALERT: Host header forgery
> detected on local=172.18.10.15:3128
> <http://172.18.10.15:3128/> remote=172.16.10.5:35346
> <http://172.16.10.5:35346/> FD 21 flags=33 (intercepted port does not
> match 443)


Squid is receiving a request for the URL https://172.18.10.15:3128/ or
equivalent.

It looks to me like you are making the classic mistake of sending
traffic directly to the Squid intercept port.

To test an interceptor proxy you MUST have a client making normal
requests like you would see them do in production environment ...
directly to the HTTP(S) origin servers.
 Let the intercept/NAT systems catch the traffic and deliver it to the
proxy - only then will that proxy have a chance at working as intended.



Amos

More information about the squid-users mailing list