[squid-users] network problems with squid ssl-bump

Ashley ashleyshih at softnext.com.tw
Thu Jul 18 07:52:41 UTC 2019 

Hi all,

I have a couple of questions about squid 3.5. My company has set up a squid
proxy with sslbump functionality. There are more than 300 people in my
company and we are all intensive users of internet.

After we implemented our squid web proxy (with multiple instances) , we had
problems with our network. The internet becomes very slow and some of the
web pages are time out. We checked the cache.log and some error logs are
shown as follows.

2019/07/18 14:27:48 kid4| ERROR: Disconnecting from a helper that overflowed
32768-byte Squid input buffer: ssl_crtd #Hlpr33
019/07/18 14:59:34 kid6| Error negotiating SSL on FD 146: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2019/07/18 14:59:36 kid3| Error negotiating SSL on FD 153:
error:00000000:lib(0):func(0):reason(0) (5/0/0)
2019/07/18 14:59:41 kid5| fqdncacheParse: No PTR record for '50.57.251.150'
2019/07/18 14:59:41 kid5| fqdncacheParse: No PTR record for '50.57.251.150'
2019/07/18 14:59:41 kid1| Failed to connect to nameserver 10.0.0.254 using
TCP.
2019/07/18 14:59:41 kid5| Error negotiating SSL on FD 82: error:14077438:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error (1/-1/0)
2019/07/18 14:59:43 kid5| Error negotiating SSL on FD 94: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (1/-1/0)
2019/07/18 14:59:43 kid6| fqdncacheParse: No PTR record for
'207.246.147.249'
2019/07/18 14:59:43 kid6| fqdncacheParse: No PTR record for
'207.246.147.249'
2019/07/18 14:59:49 kid2| Error negotiating SSL on FD 64:
error:00000000:lib(0):func(0):reason(0) (5/-1/54)


Our squid.conf is as follows.

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

cache_effective_user www

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

/usr/local/eaclhelper/CSQR_MyPortFWHelper.php
external_acl_type myPortFWFilter children-max=6 ttl=1 %SRC
/usr/local/eaclhelper/CSQR_MyPortFWHelper
acl myPortFW external myPortFWFilter
deny_info info_myPortFW myPortFW
http_access deny myPortFW

external_acl_type myAclFilter children-idle=3 children-startup=6
children-max=64 %SRC %SRCPORT %DST %PORT %URI
/usr/local/eaclhelper/CSQR_MyAclHelper
acl myAcl external myAclFilter
deny_info info_myAcl myAcl
http_access deny myAcl

http_access allow localnet
http_access allow localhost

http_access deny all

workers 6
sslproxy_session_cache_size 0

if ${process_number} = 7

http_port 127.0.0.1:3127 

else

http_port 127.0.0.${process_number}:3128
https_port 127.0.0.${process_number}:3129 intercept ssl-bump
cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB

if ${process_number} = 2


endif # endif for proc 2

if ${process_number} = 3

# For Debug, change /var/log/squid to your own log directory
# access_log /var/squid/logs/backend${process_number}.access.log
# cache_log /var/squid/logs/backend${process_number}.cache.log

endif # endif for proc 3


if ${process_number} = 4

# For Debug, change /var/log/squid to your own log directory
# access_log /var/squid/logs/backend${process_number}.access.log
# cache_log /var/squid/logs/backend${process_number}.cache.log

endif # endif for proc 4

endif # endif for squid coordinator

# ssl_bump ACL
acl broken_dstdom dstdomain
"/home/www/htdocs/snims/lurk/sslTP_default_conf/no_sslbump_dstdom.default"
acl broken_dst dst
"/home/www/htdocs/snims/lurk/sslTP_default_conf/no_sslbump_dst.default"
acl bump_dstdom dstdomain
"/home/www/htdocs/snims/lurk/sslTP_default_conf/sslbump_dstdom.default"
acl bump_dst dst
"/home/www/htdocs/snims/lurk/sslTP_default_conf/sslbump_dst.default"

always_direct allow all

# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
4MB
sslcrtd_children 32 startup=5 idle=3

# ecap_adapter
ecap_enable off
adaptation_send_client_ip on
loadable_modules /usr/local/ecap_adapter/lib/ecap_adapter_passthru.so
ecap_service eReqmod reqmod_precache 0
ecap://e-cap.org/ecap/services/sample/passthru 
ecap_service eRespmod respmod_precache 0
ecap://e-cap.org/ecap/services/sample/passthru 

adaptation_service_set reqFilter eReqmod
adaptation_service_set respFilter eRespmod
adaptation_access respFilter allow all
adaptation_access reqFilter allow all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
#coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

## for squid.sh rotate , 雿?re-open
logfile_rotate 0

## sslBump ssl server name ACL
acl monitorSites ssl::server_name
"/home/www/htdocs/snims/lurk/sslTP_default_conf/monitor_sslserver.default"
acl monitorSites_define ssl::server_name
"/home/www/htdocs/snims/lurk/sslTP_default_conf/monitor_sslserver.define"
acl monitorSites_security ssl::server_name
"/home/www/htdocs/snims/lurk/sslTP_default_conf/monitor_sslserver.security"
acl monitorSites_security_IP dst
"/home/www/htdocs/snims/lurk/sslTP_default_conf/monitor_dst.security"
acl brokenSites ssl::server_name
"/home/www/htdocs/snims/lurk/sslTP_default_conf/no_sslbump_sslserver.default"
acl brokenSites_define ssl::server_name
"/home/www/htdocs/snims/lurk/sslTP_default_conf/no_sslbump_sslserver.define"

## sslBump acl setting for squid 3.5 
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all

ssl_bump splice broken_dstdom
ssl_bump splice broken_dst
ssl_bump splice brokenSites_define

# ssl_bump bump !brokenSites !brokenSites_define
ssl_bump bump monitorSites !brokenSites !brokenSites_define
ssl_bump bump monitorSites_define !brokenSites !brokenSites_define
ssl_bump bump monitorSites_security !brokenSites !brokenSites_define
ssl_bump bump monitorSites_security_IP !brokenSites !brokenSites_define

ssl_bump splice all

## sslproxy cert setting for squid 3.5
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cert_adapt setValidAfter all

Can anyone advise what’s wrong with our settings? Or is there any limitation
for sslbump in terms of concurrent connections? Any suggestions and advice
will be highly appreciated.

Ashley






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list