[squid-users] [EXTERNAL] Re: Ubuntu 18 with Squid 4.11 SSL_BUMP

Anthony Mead ANTHONY_MEAD at progressive.com
Wed Apr 29 21:11:25 UTC 2020


Hmm, if there were more logs I'd share them!  Any reason why I'd only see a access.log line?

I promise if I curl https://google.com  this is the only line I see: 
1588193897.852     20 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.15.78:443 - ORIGINAL_DST/172.217.15.78 -

Or curl https://youtube.com :
1588194262.880     32 10.0.1.180 TCP_TUNNEL/200 4824 CONNECT 172.217.13.78:443 - ORIGINAL_DST/172.217.13.78 -

Or curl https://github.com/:
1588194657.291     45 10.0.1.180 TCP_TUNNEL/200 107344 CONNECT 140.82.113.4:443 - ORIGINAL_DST/140.82.113.4 -

To avoid an X/Y problem the rest of my setup mimics a few blog posts - An EC2 in a private subnet that has all traffic being forwarded to the squid instance, which has iptables forwarding http/https to 3129/3130.  All approved traffic is then forwarded onto a NAT Gateway.  Maybe another piece of the "puzzle" is capturing the logs.

Also I really appreciate your help so far!


´╗┐On 4/29/20, 4:35 PM, "squid-users on behalf of Amos Jeffries" <squid-users-bounces at lists.squid-cache.org on behalf of squid3 at treenet.co.nz> wrote:

    On 30/04/20 8:15 am, Anthony Mead wrote:
    > Thanks!  I've re-compiled without the unnecessary flag, and restarted the service with a new whitelist, unfortunately i'm getting such a varying of /var/log/squid/access.log messages that I'm not sure what to google anymore.
    > 
    > I want to deny all access to external sites except http/https github.com but some sites seem to connect, while others don't:
    > 

    There are a lot of details missing from your quoted log lines. Details
    such as which server was contacted are important when there are more
    than one TCP connection involved.

    Since this is SSL-Bump _each_ curl request should result in _3_
    access.log lines - with varying client, server and URI values.

    You are only showing us one log line at a time. With only the client and
    URI parts.


    Bellow is a *guess* about what is going on, based on what the status
    says. This is only to demonstrate that for each line you show there is
    at least one situation where your squid.conf file tells Squid to do an
    action which would result in that line. Whether these guesses are right
    requires all the information you are omitting.



    > ~$ # this is correct
    > ~$ curl http://github.com/
    > 10.0.1.180 TCP_MISS/301 200 GET http://github.com/
    > 

     acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
     http_access allow allowed_http_sites


    > ~$ # this is correct
    > ~$ curl https://github.com/ 
    > 10.0.1.180 TCP_TUNNEL/200 107323 CONNECT 140.82.114.4:443
    > 

      acl SSL_port port 443
      http_access allow SSL_port

      ssl_bump peek all


    > ~$ # this should deny
    > ~$ curl https://youtube.com/
    > 10.0.1.180 TCP_TUNNEL/200 4844 CONNECT 172.217.15.110:443
    > 

      acl SSL_port port 443
      http_access allow SSL_port

      ssl_bump peek all


    > ~$ # this should deny
    > ~$ curl https://google.com/
    > 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.2.110:443
    > 

      acl SSL_port port 443
      http_access allow SSL_port

      ssl_bump peek all


    > ~$ # this is denying - but not from squid, but openssl?
    > ~$ curl https://news.ycombinator.com/
    > curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443
    > 10.0.1.180 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443
    > 

      acl SSL_port port 443
      http_access allow SSL_port

      ssl_bump terminate all



    Amos
    _______________________________________________
    squid-users mailing list
    squid-users at lists.squid-cache.org
    http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list