[squid-users] squid ssl-bump with icap returns 503

Niels Hofmans hello at ironpeak.be
Thu Mar 4 12:13:07 UTC 2021 

Hi,

Interestingly this seems to work on a http_proxy listener:

http_port 0.0.0.0:3129 ssl-bump \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key
    #tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

always_direct allow all
ssl_bump bump all

But with https_port, I require tproxy/intercept which if I configure it returns:

http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump intercept \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
1614859887.972      0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -


And:

http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump tproxy \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

FATAL: https_port: TPROXY support in the system does not work.


Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 12:21, Niels Hofmans <hello at ironpeak.be> wrote:

Hi,

I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?

So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:

OPTIONS icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206

ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *

CONNECT ironpeak.be:443 <http://ironpeak.be:443/> HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443 <http://ironpeak.be:443/>

REQMOD icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111

CONNECT //ironpeak.be:443 <http://ironpeak.be:443/>/blog/big-sur-t2rminator/ HTTP/1.1  <<<< here is my bug
Host: ironpeak.be:443 <http://ironpeak.be:443/>
User-Agent: curl/7.64.1

But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:

CONNECT ironpeak.be:443 <http://ironpeak.be:443/> HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443 <http://ironpeak.be:443/>

REQMOD icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0

..TLS ciphertext..    <<<<. No more ICAP requests


Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.

Regards,
Niels Hofmans
SITE   https://ironpeak.be <https://ironpeak.be/>

On 4 Mar 2021, at 12:01, NgTech LTD <ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>> wrote:

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<hello at ironpeak.be <mailto:hello at ironpeak.be>>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com <http://serverfault.com/>: https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately <https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128 <http://0.0.0.0:3128/>
https_port 0.0.0.0:3129 <http://0.0.0.0:3129/> \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/ <>
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 <http://ironpeak.be:443/> - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ <http://ironpeak.be/blog/big-sur-t2rminator/> - HIER_DIRECT/104.21.60.47 <http://104.21.60.47/> text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129 <https://127.0.0.1:3129/>" curl -vvv --proxy-insecure http://ironpeak.be/ <http://ironpeak.be/>

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be <https://ironpeak.be/>
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210304/8ba13e3d/attachment.htm>

More information about the squid-users mailing list