[squid-users] site opens only without ssl bump
Majed Zouhairy
m_zouhairy at ckta.by
Fri Nov 4 06:31:12 UTC 2022
On 11/3/22 21:25, Alex Rousskov wrote:
> On 11/3/22 10:17, Majed Zouhairy wrote:
>> here is the log:
>
>> 1667471160.808 77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443
>> - HIER_NONE/- -
>
>> i added the following line to squid:
>>
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
>> %Sh/%<a %mt %err_code/%err_detail
>
> Please do not redefine built-in formats like "squid". As you can see,
> your adjustment had no effect -- the log records do not end with -/- (or
> better). Follow the xsquid sketch (that I shared earlier) instead.
>
with
logformat squidx %err_code/%err_detail
access_log xsquid
squid stopped logging completely
>> with either
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>> or
>>
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice all
>>
>> it still does not work.
>
> Interesting. How about just:
>
> ssl_bump splice all
>
> ... which should splice the TCP connections before any TLS work begins.
with
ssl_bump splice all
now the site works
>
> Alex.
>
>
>> On 11/3/22 16:05, Alex Rousskov wrote:
>>> On 11/3/22 05:43, Majed Zouhairy wrote:
>>>
>>>> i have 2 proxies, one with ssl bump and one without, there is a
>>>> internal site that opens only on the no ssl bump proxy.
>>>>
>>>> on the ssl bump proxy it displays:
>>>
>>>
>>> What does Squid say in access.log for this problematic request?
>>> Please configure Squid to log %err_code/%err_detail before answering
>>> this question. For example:
>>>
>>> logformat xsquid ...your regular %codes... %err_code/%err_detail
>>> access_log ... xsquid
>>>
>>>
>>>
>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>
>>> ssl_bump peek all
>>> ssl_bump splice all
>>>
>>>
>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>
>>> ssl_bump peek tls_s1_connect
>>> ssl_bump splice all
>>>
>>>
>>> Alex.
>>>
>>>
>>>
>>>
>>>> Не удается получить доступ к сайтуВеб-страница по адресу (i was
>>>> unable to gain access to website:)
>>>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
>>>> ERR_TUNNEL_CONNECTION_FAILED
>>>>
>>>> the site needs special configurations to run:
>>>> it needs a local proxy to run, avtunproxy.nl
>>>> in the internet explorer settings:
>>>> the second box in the proxy settings needs to be checked called the
>>>> "use the scenario for automatic configuration"
>>>> in it, the proxy address is plugged
>>>> http://127.0.0.1:10224/proxy.pac
>>>>
>>>> my bump settings are as follows:
>>>>
>>>>
>>>> acl tls_s1_connect at_step SslBump1
>>>> acl tls_s2_client_hello at_step SslBump2
>>>> acl tls_s3_server_hello at_step SslBump3
>>>>
>>>> # define acls for sites that must not be actively bumped
>>>>
>>>> acl tls_allowed_hsts ssl::server_name .akamaihd.net
>>>> acl tls_allowed_hsts ssl::server_name .proxy.ckko.nl
>>>> acl tls_server_is_bank ssl::server_name
>>>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>>>> acl tls_to_splice any-of tls_allowed_hsts
>>>> tls_server_is_bank
>>>>
>>>> # TLS/SSL bumping steps
>>>>
>>>> ssl_bump peek tls_s1_connect # peek
>>>> at TLS/SSL connect data
>>>> ssl_bump splice tls_to_splice #
>>>> splice some: no active bump
>>>> ssl_bump stare all #
>>>> stare(peek) at server
>>>> #
>>>> properties of the webserver
>>>> ssl_bump bump
>>>>
>>>> contents of the
>>>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>>>
>>>> .ckko.nl
>>>> .ias.ckko.nl
>>>> .test-auth.ias.ckko.nl
>>>> .config.avtunproxy.nl
>>>> .rand.avtunproxy.nl
>>>> .avast.nl
>>>> .dev.avast.nl
>>>> .ncis.nl
>>>> .cdn.nlpost.nl
>>>>
>>>> those are all the sites that are logged in on the non ssl bump proxy
>>>> when ias.ckko.nl is accessed
>>>>
>>>> despite all this configuration, the site does not open. in ufdbguard
>>>> every site from the user is a pass.
>>>>
>>>> in avtunproxy log :
>>>>
>>>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching
>>>> https://ckko.nl/upload/certificates/8.crl
>>>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e]
>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e]
>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf]
>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>> read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing
>>>> connection was forcibly closed by the remote host.
>>>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf]
>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>>>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021]
>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021]
>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59]
>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59]
>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>>>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a]
>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a]
>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>>>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178]
>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>> read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing
>>>> connection was forcibly closed by the remote host.
>>>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178]
>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c]
>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>>>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c]
>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559]
>>>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e]
>>>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903]
>>>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>>>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f]
>>>> [addr=127.0.0.1:10544] GET /api/v2/log
>>>>
>>>>
>>>> what is the solution?
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list