[squid-users] squid 5.0.4 cache_peer bug on https outgoing

openwrt openwrt.jp at gmail.com
Mon Sep 28 09:39:51 UTC 2020 

I located the bug and found a another way to deal with it.

The bug is that cache_peer https CONNECT drops the port number

If you do the compatibility treatment on the back of the agent software,
you can solve this problem

However, it would be best if it was resolved on squid.

### 0x01 wireshare packet

1) squid cache_peer https CONNECT packet.

CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)

0040   d1 d8 43 4f 4e 4e 45 43 54 20 64 2e 71 71 71 2e   ..CONNECT d.qqq.

0050   77 69 6e 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73   win HTTP/1.1

2) glider verbose log

2020/09/28 17:19:58 forward.go:118: [forwarder] DIRECT recorded 1 failures,
maxfailures: 0

2020/09/28 17:19:58 server.go:98: [http] *.*.*.*:53848 <-> d.qqq.win [c]
via DIRECT, error in dial: dial tcp: address d.qqq.win: missing port in
address

### 0x02 solution

Locate the cache_peer code in squid and add the missing port to the
CONNETCT function.

or, you can do the compatibility treatment on the background proxy soft
(bad idea)



openwrt <openwrt.jp at gmail.com> 于2020年9月28日周一 下午1:41写道:

> Yes, I've tried all of these combinations.
>
> ### 0x00 cache_peer no ssl
>
> > ssl_bump allow all
> > cache_peer 127.0.0.1 parent 3129 0 【no ssl】
>
> curl http://google.com <https://google.com/> -x
> http://admin:squid@localhost:3128 -v  -k   【it is ok】
>
> curl https://google.com -x https://admin:squid@localhost:3128 -v  -k
>  【Get 502】
> curl https://google.com -x http://admin:squid@localhost:3128 -v  -k
>  【Get 502】
>
> < HTTP/1.1 502 Bad Gateway
> < X-Cache: MISS from example.com
> < Transfer-Encoding: chunked
> < Connection: keep-alive
>
> log json:
>
> { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
> "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443",
> "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-",
> "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status":
> "HIER_NONE" }
>
> { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
> "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/
> ", "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer":
> "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE",
> "hierarchy_status": "HIER_NONE" }
>
> ### 0x01 cache_peer with ssl
>
> > ssl_bump allow all
> > cache_peer 127.0.0.1 parent 3129 0  ssk
>
> curl http://google.com <https://google.com/> -x
> http://admin:squid@localhost:3128 -v  -k   【Get 502】
> curl https://google.com -x https://admin:squid@localhost:3128 -v  -k
>  【Get 502】
>
> < HTTP/1.1 503 Service Unavailable
>
> < Server: squid/5.0.4
>
> < Mime-Version: 1.0
>
> < Date: Mon, 28 Sep 2020 04:21:00 GMT
>
> < Content-Type: text/html;charset=utf-8
>
> < Content-Length: 1649
>
> < X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
>
>
> <p>The system returned:</p>
>
> <blockquote id="data">
>
> <pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>
>
> <p>Handshake with SSL server failed: [No Error]</p>
>
> </blockquote>
>
>
>
> ### 0x02 how to outgoing https request by cache_peer (on squid
> 5.0.4/Chains proxy)
>
> Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080,
> then capture the request , outgoing on another http(s)/socks4/5 proxy.)
>
> 1. Fiddler gateway:
> https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway
>
> curl https://google.com -x http://squid:3128 --> outgoing(cache_peer:
> like Fiddler gateway) --> google.com:443
>
> The cache_peer should be ignore ssl VERIFY. !!! like other software.
>
> On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.
>
>
>
> Alex Rousskov <rousskov at measurement-factory.com> 于2020年9月28日周一 上午6:48写道:
>
>> On 9/27/20 12:07 PM, sec wrote:
>>
>> > http_port 3128 ssl-bump ...
>>
>> > curl http://google.com -x https://admin:squid@localhost:3128 -v  -k
>>
>> The above two lines do not match AFAICT: You tell curl to use an HTTPS
>> proxy, but you tell Squid to expect plain HTTP proxy requests.
>>
>> Also, please note that if you fix the above problem by moving "https"
>> from "-x" to the origin server URL, then you will probably face another
>> problem:
>>
>> curl https://google.com -x http://admin:squid@localhost:3128 -v  -k
>>
>> > ssl_bump allow all
>>
>> > cache_peer 127.0.0.1 parent 3129 0 ssl
>>
>> Squid does not (yet) support "TLS inside TLS": Talking TLS with the
>> origin server through a cache_peer that also expects a TLS connection.
>>
>>
>> HTH,
>>
>> Alex.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200928/788fbfbf/attachment-0001.htm>

More information about the squid-users mailing list