[squid-users] Issues with TLS inspection-2

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 23 11:04:50 UTC 2020 

On 23/01/20 3:11 pm, aashutosh kalyankar wrote:
>     From: Amos Jeffrie>
>     Secondly, make sure that your tests are accurately emulating how clients
>     would "use" the proxy. That means making connections from a test machine
>     directly to the Internet and seeing if the routing and NAT delivers the
>     traffic to Squid properly.
> 
> 
> I am using a chromebook to test. In the configuration section of the
> wireless network there is an option to add proxy hostname and proxy port
> based on protocols.  
> Http proxy     :  proxy-tls 80
> HTTPS proxy:  proxy-tls 443
> 

That is part of your problem. Those are settings for explicit proxy.

With intercept the clients knows nothing about any proxy. They are just
connecting to a web server directly (but *NAT* sends it to Squid instead).


> 
>      - Use cache.log to view the traffic coming into the proxy. It will be
>     request messages with a prefix line indicating "Client HTTP request".
>     Make sure that prefix line says the remote Internet IP address and port
>     80/443 you were testing with.
>      - If you want confirm that access.log has a transaction entry for the
>     URL you tested with ORIGINAL_DST and the server IP.
> 
> Sample cache.log for a test I did for neverssl.com <http://neverssl.com>
> 
> 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2346)
> parseHttpRequest: HTTP Client local=172.22.22.148:80
> <http://172.22.22.148:80> remote=172.22.22.151:34728
> <http://172.22.22.151:34728> FD 12 flags=33
> 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2347)
> parseHttpRequest: HTTP Client REQUEST:
> ---------
> GET http://neverssl.com/ HTTP/1.1
> Host: neverssl.com <http://neverssl.com>
> Proxy-Connection: keep-alive


...
> 
>     > http_access deny !Safe_ports
>     > http_access deny CONNECT !SSL_ports
> 
>      ... this is where all your custom http_access rules are supposed to be.
>     The Safe_ports and SSL_Ports lines above are DoS and hijack protections.
> 
>  
> IIUC, These are not required to be here so I commented out those lines. 
> 

Sorry if I was not clear. They should be the first http_access lines in
your config. Local policy rules follow them. Then the final "deny all"
rule to block anything not allowed by your policy.



Amos

More information about the squid-users mailing list