[squid-users] site opens only without ssl bump

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 3 18:25:24 UTC 2022 

On 11/3/22 10:17, Majed Zouhairy wrote:
> here is the log:

> 1667471160.808     77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - HIER_NONE/- -

> i added the following line to squid:
> 
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a 
> %mt %err_code/%err_detail

Please do not redefine built-in formats like "squid". As you can see, 
your adjustment had no effect -- the log records do not end with -/- (or 
better). Follow the xsquid sketch (that I shared earlier) instead.


> with either
> 
> ssl_bump peek all
> ssl_bump splice all
> 
> or
> 
> ssl_bump peek tls_s1_connect
> ssl_bump splice all
> 
> it still does not work.

Interesting. How about just:

   ssl_bump splice all

... which should splice the TCP connections before any TLS work begins.

Alex.


> On 11/3/22 16:05, Alex Rousskov wrote:
>> On 11/3/22 05:43, Majed Zouhairy wrote:
>>
>>> i have 2 proxies, one with ssl bump and one without, there is a 
>>> internal site that opens only on the no ssl bump proxy.
>>>
>>> on the ssl bump proxy it displays:
>>
>>
>> What does Squid say in access.log for this problematic request? Please 
>> configure Squid to log %err_code/%err_detail before answering this 
>> question. For example:
>>
>> logformat xsquid ...your regular %codes... %err_code/%err_detail
>> access_log ... xsquid
>>
>>
>>
>> Does the site works if you temporary replace your ssl_bump rules with:
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>>
>> Does the site works if you temporary replace your ssl_bump rules with:
>>
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice all
>>
>>
>> Alex.
>>
>>
>>
>>
>>> Не удается получить доступ к сайтуВеб-страница по адресу (i was 
>>> unable to gain access to website:) 
>>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, 
>>> возможно, временно недоступна или постоянно перемещена по новому 
>>> адресу. (it is possible that it can not bbe reached or it has been 
>>> permanently relocated to a new address)
>>> ERR_TUNNEL_CONNECTION_FAILED
>>>
>>> the site needs special configurations to run:
>>> it needs a local proxy to run, avtunproxy.nl
>>> in the internet explorer settings:
>>> the second box in the proxy settings needs to be checked called the 
>>> "use the scenario for automatic configuration"
>>> in it, the proxy address is plugged
>>> http://127.0.0.1:10224/proxy.pac
>>>
>>> my bump settings are as follows:
>>>
>>>
>>> acl     tls_s1_connect        at_step SslBump1
>>> acl     tls_s2_client_hello     at_step SslBump2
>>> acl     tls_s3_server_hello     at_step SslBump3
>>>
>>> # define acls for sites that must not be actively bumped
>>>
>>> acl     tls_allowed_hsts        ssl::server_name .akamaihd.net
>>> acl     tls_allowed_hsts        ssl::server_name .proxy.ckko.nl
>>> acl     tls_server_is_bank         ssl::server_name 
>>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>>> acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank
>>>
>>> # TLS/SSL bumping steps
>>>
>>> ssl_bump         peek                tls_s1_connect         # peek at 
>>> TLS/SSL connect data
>>> ssl_bump         splice                 tls_to_splice        # splice 
>>> some: no active bump
>>> ssl_bump         stare                 all                    # 
>>> stare(peek) at server
>>>                                                          # properties 
>>> of the webserver
>>> ssl_bump         bump
>>>
>>> contents of the 
>>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>>
>>> .ckko.nl
>>> .ias.ckko.nl
>>> .test-auth.ias.ckko.nl
>>> .config.avtunproxy.nl
>>> .rand.avtunproxy.nl
>>> .avast.nl
>>> .dev.avast.nl
>>> .ncis.nl
>>> .cdn.nlpost.nl
>>>
>>> those are all the sites that are logged in on the non ssl bump proxy 
>>> when ias.ckko.nl is accessed
>>>
>>> despite all this configuration, the site does not open. in ufdbguard 
>>> every site from the user is a pass.
>>>
>>> in avtunproxy log :
>>>
>>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
>>> https://ckko.nl/upload/certificates/8.crl
>>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
>>> read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
>>> connection was forcibly closed by the remote host.
>>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
>>> read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing 
>>> connection was forcibly closed by the remote host.
>>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] 
>>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] 
>>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] 
>>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] 
>>> [addr=127.0.0.1:10544] GET /api/v2/log
>>>
>>>
>>> what is the solution?
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list