[squid-users] site opens only without ssl bump

Majed Zouhairy m_zouhairy at ckta.by
Thu Nov 3 09:43:22 UTC 2022 

Peace,
i have 2 proxies, one with ssl bump and one without, there is a internal 
site that opens only on the no ssl bump proxy.

on the ssl bump proxy it displays:


Не удается получить доступ к сайтуВеб-страница по адресу (i was unable 
to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, 
возможно, временно недоступна или постоянно перемещена по новому адресу. 
(it is possible that it can not bbe reached or it has been permanently 
relocated to a new address)
ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the "use 
the scenario for automatic configuration"
in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl 	tls_s1_connect		at_step SslBump1
acl 	tls_s2_client_hello 	at_step SslBump2
acl 	tls_s3_server_hello 	at_step SslBump3

# define acls for sites that must not be actively bumped

acl 	tls_allowed_hsts		ssl::server_name 			.akamaihd.net
acl 	tls_allowed_hsts		ssl::server_name 			.proxy.ckko.nl
acl 	tls_server_is_bank 		ssl::server_name		 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
acl 	tls_to_splice 	any-of 	tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump 		peek				tls_s1_connect 		# peek at TLS/SSL connect data
ssl_bump 		splice 				tls_to_splice		# splice some: no active bump
ssl_bump 		stare 				all					# stare(peek) at server
														# properties of the webserver
ssl_bump 		bump

contents of the 
/usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:

.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy 
when ias.ckko.nl is accessed

despite all this configuration, the site does not open. in ufdbguard 
every site from the user is a pass.

in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
https://ckko.nl/upload/certificates/8.crl
2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read 
tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing connection 
was forcibly closed by the remote host.
2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read 
tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing connection 
was forcibly closed by the remote host.
2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] 
[addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] 
[addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] 
[addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] 
[addr=127.0.0.1:10544] GET /api/v2/log


what is the solution?

More information about the squid-users mailing list