[squid-users] squid ssl-bump with icap returns 503

Niels Hofmans hello at ironpeak.be
Sat Mar 6 10:10:13 UTC 2021

Hi Amos,

Just to get back to this, the conclusion is that https_port does not support ssl-bump of requests passing through CONNECT.
I’ll terminate the TLS connection in front of squid through a load balancer and use http_port, which works fine.
Thank you!

Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 14:21, Amos Jeffries <squid3 at treenet.co.nz> wrote:

On 5/03/21 1:39 am, Niels Hofmans wrote:
> Hi Amos,
> Thank you for getting back to me.
> So if ssl-bump is required on the http(s)_port directive, I end up at:

https_port simply means TLS is the transport protocol. The transport is terminated at the proxy. There are many permutations of what is being done inside that TLS.

So no http_port does not require "ssl-bump".

Squid does not support TLS-inside-TLS encryption layering. Which is why "ssl-bump" only works for "intercept" or "tproxy" modes on that port directive.

> http_port
> https_port ssl-bump intercept \
>     generate-host-certificates=ondynamic_cert_mem_cache_size=10MB \
>     cert=/etc/squid/ssl/squid.crtkey=/etc/squid/ssl/squid.key \
>     tls-cert=/etc/squid/ssl/squid.crttls-key=/etc/squid/ssl/squid.key
> always_direct allow all
> ssl_bump bump all
> This however ends up with following logs:
> 2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local= remote= FD 13 flags=33: (2) No such file or directory

Which means your NAT systems have no records of port 443 being diverted to port 3129.

> Command to reproduce:
>  % ALL_PROXY=" <> < <>>" curl -k -vvv --proxy-insecure -X POST --data 'foo' https://ironpeak.be/ <https://ironpeak.be/> <https://ironpeak.be/ <https://ironpeak.be/>>

Correct test command for "https_port 3129 intercept ssl-bump" is:

 curl --cacert /etc/squid/ssl/squid.crt -vvv \
      -X POST --data 'foo' https://ironpeak.be/ <https://ironpeak.be/>

This verifies that the system is diverting traffic to the proxy, the proxy is the TLS agent for those connections, and that connectivity through the proxy is working.
TLS failure to verify the cert(s) indicate the proxy is not being reached.

squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210306/55606f21/attachment-0001.htm>

More information about the squid-users mailing list