[squid-users] Strange Squid SSL Interception Behavior

Mathew Brown mbrown8918 at outlook.com
Mon Aug 24 22:21:31 UTC 2020 

Hi,

I'm currently trying to configure transparent SSL proxying and running into a strange error that has me scratching my head for hours. I'm using Squid 4.11 (I also tried this with 4.12) with SSL support from here - http://squid411.diladele.com/ubuntu/ on Ubuntu 18.04.

I set up the necessary iptables forwarding ports and SSL certificates and it sometimes works (as you will see below).

My current configuration adds just the following to the default squid.conf file:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
include /etc/squid/conf.d/*

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
debug_options ALL,1, 33,2 2 28,9

http_port 3129 intercept
https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squid-ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB

acl whitelist ssl::server_name .httpbin.org
acl whitelist_http ssl::server_name .httpbin.org

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump splice all

http_access allow whitelist
http_access allow whitelist_http

# And finally deny all other access to this proxy
http_access deny all

so the above configuration should allow anyone with access to the Squid proxy access to httpbin.org over both HTTP and HTTPS

when I try to access:

http://httpbin.org (not SSL)

it works

when I try to access:

https://httpbin.org

it fails as shown below (I'm running this on the Squid proxy machine itself):

$ wget https://httpbin.org
--2020-08-24 17:48:34--  https://httpbin.org/
Resolving httpbin.org (httpbin.org)... 54.236.246.173, 3.220.112.94
Connecting to httpbin.org (httpbin.org)|54.236.246.173|:443... connected.
ERROR: cannot verify httpbin.org's certificate, issued by ‘O=Internet Widgits Pty Ltd,ST=Some-State,C=AU’:
  Self-signed certificate encountered.
To connect to httpbin.org insecurely, use `--no-check-certificate'.

$ wget https://httpbin.org --no-check-certificate
--2020-08-24 17:48:40--  https://httpbin.org/
Resolving httpbin.org (httpbin.org)... 3.220.112.94, 54.236.246.173
Connecting to httpbin.org (httpbin.org)|3.220.112.94|:443... connected.
WARNING: cannot verify httpbin.org's certificate, issued by ‘O=Internet Widgits Pty Ltd,ST=Some-State,C=AU’:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 403 Forbidden
2020-08-24 17:48:40 ERROR 403: Forbidden.

looking at access.log shows:

1598305800.974      2 192.168.123.214 TCP_DENIED/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- -

for the first request (without the --no-check-certificate) and the following for the 2nd request (with the --no-check-certificate):

1598305812.292      3 192.168.123.214 TCP_DENIED/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- -
1598305812.300      2 192.168.123.214 NONE/403 3795 GET https://httpbin.org/ - HIER_NONE/- text/html

looking at cache.log shows:

# cat /var/log/squid/cache.log  | grep -i "28" | grep -i httpbin
2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org

so it never matches on the httpbin.org

now, if I add the following line to my configuration:

http_access allow localnet

right before the:

http_access deny all

line it works and I see the following in access.log:

1598305979.004      4 192.168.123.214 NONE/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- -
1598305980.016   1012 192.168.123.214 TCP_TUNNEL/200 15370 CONNECT httpbin.org:443 - ORIGINAL_DST/54.236.246.173 -

and I see the following in cache.log:

# cat /var/log/squid/cache.log  | grep -i "28" | grep -i httpbin
2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
2020/08/24 17:52:59.005 kid1| 28,3| RegexData.cc(43) match: checking 'httpbin.org:443'
2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(42) match: checking 'httpbin.org'
2020/08/24 17:52:59.005 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:httpbin.org <>  .httpbin.org
2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(47) match: 'httpbin.org' found

What's puzzling is why adding the 'allow localnet' line changes the ACL logic for .httpbin.org and why the original configuration does not work. Any ideas? Thanks

PS. I reproduced the exact same scenario on Ubuntu 20.04 with Squid 4.12


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200824/a7a0da7e/attachment.htm>

More information about the squid-users mailing list