[squid-users] squid ssl-bump with icap returns 503

Niels Hofmans hello at ironpeak.be
Thu Mar 4 12:39:26 UTC 2021 

Hi Amos,

Thank you for getting back to me.
So if ssl-bump is required on the http(s)_port directive, I end up at:

http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 ssl-bump intercept \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

always_direct allow all
ssl_bump bump all

This however ends up with following logs:

2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33
2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33
1614861463.880      0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -

Command to reproduce:

 % ALL_PROXY="http://127.0.0.1:3129" curl -k -vvv --proxy-insecure -X POST --data 'foo' https://ironpeak.be/


Regards,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 13:25, Amos Jeffries <squid3 at treenet.co.nz> wrote:

On 4/03/21 11:36 pm, Niels Hofmans wrote:
> Hi guys,
> I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com <http://serverfault.com>: https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately <https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>
> I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
> Any ideas?
> Config:
> visible_hostname proxy
> forwarded_for delete
> via off
> httpd_suppress_version_string on
> logfile_rotate 0
> cache_log stdio:/dev/stdout
> access_log stdio:/dev/stdout
> cache_store_log stdio:/dev/stdout
> dns_v4_first on
> cache_dir ufs /cache 100 16 256
> pid_filename /cache/squid.pid
> mime_table /usr/share/squid/mime.conf
> http_port 0.0.0.0:3128
> https_port 0.0.0.0:3129 \
>     generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
>     tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key


Neither of these Squid listening ports do SSL-Bump (aka. interception of TLS) in any way.

The first receives normal HTTP forward/explicit proxy traffic over TCP.

The second receives normal HTTP forward/explicit proxy traffic over TLS (aka "TLS explicit proxy"). Not to be confused with HTTPS (https:// URLs).



> ssl_bump peek all
> ssl_bump bump all
> quick_abort_min 0
> quick_abort_max 0
> quick_abort_pct 95
> pinger_enable off
> icap_enable on
> icap_service_failure_limit -1
> icap_service service_req reqmod_precache bypass=0   icap://10.10.0.119:1344/
> icap_preview_enable on
> adaptation_access service_req allow all
> cache_mem 512 mb
> dns_nameservers 1.1.1.1 1.0.0.1
> cache_effective_user proxy
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
> sslproxy_cert_error allow all
> http_access allow all
> Log line HTTPS when it doesn’t work:
> 1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443  - HIER_NONE/- -

This is a https:// request which the client is tunneling (CONNECT) through a forward/explicit proxy.


> < HTTP/1.1 503 Service Unavailable
> < Server: squid
> < Mime-Version: 1.0
> < Date: Thu, 04 Mar 2021 10:36:05 GMT
> < Content-Type: text/html;charset=utf-8
> < Content-Length: 1849
> < X-Squid-Error: ERR_DNS_FAIL 0
> Log line HTTP when it does work:
>   -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/ 


As you can see this is *not* an HTTPS (https://) request. It is a normal HTTP (http://) request sent to a proxy over TLS - which is what your port 3129 is expecting.


Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210304/a98da0d3/attachment.htm>

More information about the squid-users mailing list