[squid-users] Configuring SSL Bump on CONNECT, but no SSL Bump on Transparent

Alex Rousskov rousskov at measurement-factory.com
Sat Sep 4 19:58:31 UTC 2021 

On 9/4/21 7:47 AM, Graham Wharton wrote:

> Besides I’ve managed to configure it using localport acl’s to detect
> which port the request came in on and bump accordingly. Not sure if this
> is the best way.

I do not remember what works in Squid v3, but, in general, the best way
is to name your ports and use the myportname ACL instead of trying to
match one of the many port numbers associated with transparent
connections, especially when Squid has a tendency to "swap" source and
destination addresses in that context.

Besides not running v3, I also would not try to bump at step1 -- there
is so little information for Squid to use during step1 that the client
is very unlikely to be happy about the Squid-generated certificate.

To bump at step2:

  ssl_bump peek step1
  ssl_bump bump shouldBeBumped
  ssl_bump splice all

or even step3:

  ssl_bump peek step1
  ssl_bump stare shouldBeBumped
  ssl_bump bump shouldBeBumped
  ssl_bump splice all

... where shouldBeBumped is your ACL that matches transactions that
should be bumped.


HTH,

Alex.


>  
> 
> Thanks for listening.
> 
>  
> 
> For info for anyone else interested
> 
>  
> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> 
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> 
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> 
> acl localnet src fc00::/7       # RFC 4193 local private network range
> 
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> 
> acl connectport localport 3128
> 
> http_port 10.0.0.36:3129 intercept
> 
> https_port 10.0.0.36:3130 intercept ssl-bump \
> 
>         cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
> 
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> http_port 10.0.0.36:3128 ssl-bump \
> 
>         cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
> 
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
> http_access deny all
> 
> acl step1 at_step SslBump1
> 
> acl step2 at_step SslBump2
> 
> acl step3 at_step SslBump3
> 
> ssl_bump bump connectport
> 
> ssl_bump peek all
> 
> ssl_bump splice all
> 
>  
> 
> Cheers
> 
>  
> 
> Graham
> 
>  
> 
>  
> 
> *From:*squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *Graham Wharton
> *Sent:* 04 September 2021 11:44
> *To:* squid-users at lists.squid-cache.org
> *Subject:* [squid-users] Configuring SSL Bump on CONNECT, but no SSL
> Bump on Transparent
> 
>  
> 
> Hi all,
> 
>  
> 
> Squid 3.5.20
> 
>  
> 
> I am attempting to configure the following
> 
>  
> 
> Port 3128 = Accepts CONNECT requests with SSL Bump for all sites
> 
> Port 3129 = HTTP port for transparent proxy
> 
> Port 3130 = HTTPS port for transparent proxy – NO SSL Bump, all sites
> should always TUNNEL
> 
>  
> 
> Is the above config possible?
> 
>  
> 
> The relevant sections of my config are
> 
>  
> 
> #TANSPARENT
> 
> http_port 10.0.0.36:3129
> 
> https_port 10.0.0.36:3130
> 
>  
> 
> #CONNECT
> 
> http_port 10.0.0.36:3128 ssl-bump \
> 
>         cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
> 
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> 
>  
> 
> #Permissions
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
> http_access deny all
> 
>  
> 
> ##Steps
> 
> acl step1 at_step SslBump1
> 
> acl step2 at_step SslBump2
> 
> acl step3 at_step SslBump3
> 
>  
> 
> #Bump Rules
> 
> ssl_bump peek step1
> 
> ssl_bump bump all
> 
> ssl_bump splice all
> 
>  
> 
> All appears to work correctly, apart from transparent connections for
> HTTPS. These are getting bumped.
> 
>  
> 
> According to the logs
> 
>  
> 
> 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(218) doAccept: New
> connection on FD 30
> 
> 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(293) acceptNext:
> connection on local=10.0.0.36:3130 remote=[::] FD 30 flags=41
> 
> 2021/09/04 10:38:54.129 kid1| 33,2| client_side.cc(3920)
> httpsSslBumpAccessCheckDone: sslBump needed for
> local=142.250.187.196:443 remote=10.0.1.254:51928 FD 12 flags=33 method 3
> 
>  
> 
> Looking at the code, it would appear that because the destination is
> ALLOWED for the ssl_bump acl, the connection is automatically upgraded
> to ssl_bump by the httpsSslBumpAccessCheckDone function. But this isn’t
> what I want. I want ssl_bump to be completely disabled on my transparent
> proxy, I only wan to bump connections for connections that have
> explicitly set their proxy.
> 
>  
> 
> Any suggestions on how to overcome this, apart from running two copies
> of squid.
> 
>  
> 
> Thanks in advance
> 
>  
> 
> Graham Wharton
> 
>  
> 
>  
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list