[squid-users] ssl_bump with parent cache

Alex Rousskov rousskov at measurement-factory.com
Tue Mar 8 21:57:36 UTC 2022 

On 3/8/22 16:38, Aaron Dewell wrote:

> Hi Alex, thanks for your reply!  I did get access to the parent proxy 
> and my assumption was wrong, it's doing minimal bumping.

TLS inspection at the parent proxy does not affect what I was trying to 
double check. What matters is whether it is a forward HTTP proxy (e.g., 
a Squid instance listening on an http_port configured without intercept, 
tproxy, or accel flags). It sounds like that is what it is. That's OK!

I do not remember whether your Squid version (v4.13) supports SslBump 
with parent forward proxies, but I believe modern Squids do, and we can 
assume that your Squid version does as well. The debugging should show 
whether that is indeed the case.


> The parent is doing peek and splice to an exact list of internal 
> destinations.  Specifically, peek step1 all, peek step2 allowed_sites, 
> splice allowed_sites, terminate all.  That shouldn't (to my imperfect 
> knowledge) interfere with what I'm doing though.

Yes, assuming the parent does not terminate your Squid connections, of 
course (i.e. assuming connections from your Squid always match 
allowed_sites after step1 at the parent proxy).


> That's a good idea to do splice only and see if that's successful.  
> Trying to do too much at once!  I'll see what that does, then try debug 
> again.  The debug output wasn't very helpful before, but stepwise may be 
> more useful.

Just to clarify: The debugging output was not meant for you to 
interpret. A Squid developer should do that. It may contain sensitive 
details; it is best to not use anything but test traffic and test 
certificate keys when sharing ALL,9 output.

Alex.


> On Mar 8 2022, at 1:43 pm, Alex Rousskov  wrote:
> 
>     On 3/8/22 14:16, Aaron Dewell wrote:
> 
>      > I'm trying to use these two features at the same time.  The use
>     case is
>      > pretty simple.  I want to capture all traffic from a single source (a
>      > device of mine) to another squid proxy server and decrypt/log
>     it.    I'm
>      > using the Ubuntu 20 package of squid-ssl version 4.13.
>      >
>      > Device -> ssl_bump proxy -> upstream proxy -> website
>      >
>      > It was all successfully working without ssl_bump, so the cache_peer
>      > configuration works.  One side note: the parent proxy is running
>     on 443
>      > without SSL (I believe - I don't run it but I've asked those that
>     do for
>      > confirmation, but I do know it's a pretty standard destination proxy
>      > configuration).
>      >
>      > The website itself is not directly accessible thus the upstream
>     proxy is
>      > required.
>      >
>      > Adding the ssl_bump configuration caused it to not work, with errors
>      > about SSL versions and "Error negotiating SSL connection on FD
>     xx".  My
>      > best guess is that it is attempting to establish an SSL connection to
>      > the upstream and failing.
>      >
>      > acl step1 at_step SslBump1
>      > ssl_bump peek step1
>      > ssl_bump bump all
>      > http_port 3128 ssl-bump cert=/var/lib/squid/ssl_cert/myCA.pem
>      > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>      > tls_outgoing_options options=NO_SSLv3
>      > flags=DON'T_VERIFY_PEER,DONT_VERIFY_DOMAIN
>      > cert=/var/lib/squid/ssl_cert/device.pem
>      > key=/var/lib/squid/ssl_cert/client.key
>      >
>      > (client.key and client.pem are from the device and are needed due
>     to the
>      > authentication of the session at the destination server.  Also, I
>      > haven't looked at the packet logging yet. I assume that will be
>     an easy
>      > addition once the setup works generally.)
>      >
>      > However, my understanding is that the cache_peer configuration should
>      > NOT do TLS by default unless that was specified in the options, and I
>      > see no way to explicitly disable it.
>      >
>      > So first question: is that assumption accurate?  No TLS to the parent
>      > unless explicitly configured?
> 
>     Yes, that is correct: cache_peers are plain HTTP forward proxies unless
>     explicitly configured otherwise. Their listening port value does carry
>     any special meaning as far as Squid code is concerned.
> 
>     However, it is very unusual to run a plain HTTP forward proxy on port
>     443. That port may imply that your parent proxy is an HTTPS reverse
>     proxy. If it is, you need to use originserver flag when configuring the
>     corresponding cache_peer line. You can check by sending plain CONNECT
>     requests to that upstream proxy using wget, curl, or some such. A
>     reverse HTTPS proxy would reject such requests.
> 
> 
>      > if the ssl_bump configuration is causing it to attempt an upstream
>      > TLS connection ...
> 
>     Bugs notwithstanding, it should not.
> 
> 
>      > Anything here that I'm doing obviously wrong?
> 
>     I see no red flags relevant to your specific question.
> 
>     Does replacing "bump all" with "splice all" fix the problem? I realize
>     that you do want to bump/see the device traffic, but I wonder whether
>     the errors are not between Squid and the upstream proxy but Squid and
>     the web site. Splicing would remove those errors while still keeping
>     some SslBump code active.
> 
>     Sharing a (pointer to compressed) libpcap packet capture and/or a
>     (pointer to compressed) ALL,9 cache.log while reproducing the problem
>     with a single transaction may help:
>     https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
> 
>     Alex.
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     http://lists.squid-cache.org/listinfo/squid-users
> 
> Sent from Mailspring

More information about the squid-users mailing list