[squid-users] SSL Virtual Hosting Problem

Mario Theodoridis mario.theodoridis at regify.com
Tue Nov 28 10:29:48 UTC 2023 

Hello everyone,

i'm trying to use squid as a TLS virtual hosting proxy on a system with 
a public IP in front of several internal systems running TLS web servers.

I would like to proxy the incoming connections to the appropriate 
backend servers based on the hostname using SNI.

I'm using the following config to just try this with 1 backend to test 
with and fail already

Here the config:

http_port 3128
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
acl tlspls ssl::server_name_regex -i test\.regify\.com
cache_peer test.de.regify.com parent 443 0 proxy-only originserver 
no-digest no-netdb-exchange name=test
ssl_bump peek all
ssl_bump splice all
http_access allow all
cache_peer_access test allow all


Starting squid gives me the following:

2023/11/28 11:13:21.919| 1,2| main.cc(1619) SquidMain: Doing post-config 
initialization
2023/11/28 11:13:21.919| 1,2| main.cc(1621) SquidMain: running 
RegisteredRunner::finalizeConfig
2023/11/28 11:13:21.919| Created PID file (/run/squid.pid)
2023/11/28 11:13:21.921| 1,2| main.cc(1453) StartUsingConfig: running 
RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:21.921| 1,2| main.cc(1454) StartUsingConfig: running 
RegisteredRunner::useConfig
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1619) SquidMain: Doing 
post-config initialization
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1621) SquidMain: running 
RegisteredRunner::finalizeConfig
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1453) StartUsingConfig: 
running RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1454) StartUsingConfig: 
running RegisteredRunner::useConfig
2023/11/28 11:13:21.988 kid1| Current Directory is /
2023/11/28 11:13:21.988 kid1| Creating missing swap directories
2023/11/28 11:13:21.988 kid1| No cache_dir stores are configured.
2023/11/28 11:13:21.992| 1,2| main.cc(2051) watch_child: running 
RegisteredRunner::finishShutdown
2023/11/28 11:13:21.992| Removing PID file (/run/squid.pid)
2023/11/28 11:13:22.063| 1,2| main.cc(1619) SquidMain: Doing post-config 
initialization
2023/11/28 11:13:22.063| 1,2| main.cc(1621) SquidMain: running 
RegisteredRunner::finalizeConfig
2023/11/28 11:13:22.063| Created PID file (/run/squid.pid)
2023/11/28 11:13:22.066| 1,2| main.cc(1453) StartUsingConfig: running 
RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:22.066| 1,2| main.cc(1454) StartUsingConfig: running 
RegisteredRunner::useConfig
2023/11/28 11:13:22.131 kid1| 1,2| main.cc(1619) SquidMain: Doing 
post-config initialization
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1621) SquidMain: running 
RegisteredRunner::finalizeConfig
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1453) StartUsingConfig: 
running RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1454) StartUsingConfig: 
running RegisteredRunner::useConfig
2023/11/28 11:13:22.132 kid1| Current Directory is /
2023/11/28 11:13:22.132 kid1| Starting Squid Cache version 4.13 for 
x86_64-pc-linux-gnu...
2023/11/28 11:13:22.132 kid1| Service Name: squid
2023/11/28 11:13:22.132 kid1| Process ID 2863502
2023/11/28 11:13:22.132 kid1| Process Roles: worker
2023/11/28 11:13:22.132 kid1| With 1024 file descriptors available
2023/11/28 11:13:22.132 kid1| Initializing IP Cache...
2023/11/28 11:13:22.135 kid1| 78,2| dns_internal.cc(1570) Init: 
idnsInit: attempt open DNS socket to: 0.0.0.0
2023/11/28 11:13:22.135 kid1| DNS Socket created at 0.0.0.0, FD 5
2023/11/28 11:13:22.135 kid1| Adding domain de.regify.com from 
/etc/resolv.conf
2023/11/28 11:13:22.135 kid1| Adding nameserver 192.168.1.1 from 
/etc/resolv.conf
2023/11/28 11:13:22.135 kid1| helperOpenServers: Starting 5/32 
'security_file_certgen' processes
2023/11/28 11:13:22.164 kid1| 46,2| Format.cc(71) parse: got definition 
'%>a/%>A %un %>rm myip=%la myport=%lp'
2023/11/28 11:13:22.165 kid1| 46,2| Format.cc(71) parse: got definition 
'%>a/%>A %un %>rm myip=%la myport=%lp'
2023/11/28 11:13:22.165 kid1| Logfile: opening log 
daemon:/var/log/squid/access.log
2023/11/28 11:13:22.165 kid1| Logfile Daemon: opening log 
/var/log/squid/access.log
2023/11/28 11:13:22.194 kid1| 71,2| store_digest.cc(96) 
storeDigestCalcCap: have: 0, want 0 entries; limits: [1, 0]
2023/11/28 11:13:22.194 kid1| 70,2| CacheDigest.cc(46) init: capacity: 1 
entries, bpe: ; size: 1 bytes
2023/11/28 11:13:22.194 kid1| Local cache digest enabled; 
rebuild/rewrite every 3600/3600 sec
2023/11/28 11:13:22.194 kid1| Store logging disabled
2023/11/28 11:13:22.194 kid1| Swap maxSize 0 + 262144 KB, estimated 
20164 objects
2023/11/28 11:13:22.194 kid1| Target number of buckets: 1008
2023/11/28 11:13:22.194 kid1| Using 8192 Store buckets
2023/11/28 11:13:22.194 kid1| Max Mem  size: 262144 KB
2023/11/28 11:13:22.194 kid1| Max Swap size: 0 KB
2023/11/28 11:13:22.194 kid1| Using Least Load store dir selection
2023/11/28 11:13:22.194 kid1| Current Directory is /
2023/11/28 11:13:22.194 kid1| Finished loading MIME types and icons.
2023/11/28 11:13:22.332 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: 
WCCPv1 disabled.
2023/11/28 11:13:22.332 kid1| 80,2| wccp2.cc(959) wccp2ConnectionOpen: 
WCCPv2 Disabled. No IPv4 Router(s) configured.
2023/11/28 11:13:22.332 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The 
AsyncCall clientListenerConnectionOpened constructed, 
this=0x5636c42036d0 [call18]
2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: 
StartListening.cc(59) will call 
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22 
flags=9, err=0, HTTP Socket port=0x5636c4203730) [call18]
2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The 
AsyncCall clientListenerConnectionOpened constructed, 
this=0x5636c420ca50 [call20]
2023/11/28 11:13:22.337 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: 
StartListening.cc(59) will call 
clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23 
flags=25, err=0, HTTPS Socket port=0x5636c420cab0) [call20]
2023/11/28 11:13:22.337 kid1| HTCP Disabled.
2023/11/28 11:13:22.337 kid1| Squid plugin modules loaded: 0
2023/11/28 11:13:22.337 kid1| Adaptation support is off.
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
Initialized 0 message adaptation services
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
Initialized 0 message adaptation service groups
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
Initialized 0 message adaptation access rules
2023/11/28 11:13:22.339 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: 
entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] 
FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
2023/11/28 11:13:22.339 kid1| 33,2| AsyncCall.cc(37) make: make call 
clientListenerConnectionOpened [call18]
2023/11/28 11:13:22.339 kid1| Accepting HTTP Socket connections at 
local=0.0.0.0:3128 remote=[::] FD 22 flags=9
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: 
leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 
22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: 
entering clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 
23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCall.cc(37) make: make call 
clientListenerConnectionOpened [call20]
2023/11/28 11:13:22.346 kid1| Accepting TPROXY intercepted SSL bumped 
HTTPS Socket connections at local=0.0.0.0:443 remote=[::] FD 23 flags=25
2023/11/28 11:13:22.352 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: 
leaving clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 
23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
2023/11/28 11:13:22.352 kid1| Configuring Parent test.de.regify.com/443/0
2023/11/28 11:13:22.353 kid1| 15,2| neighbors.cc(1198) peerDNSConfigure: 
--> IP address #0: 192.168.1.122
2023/11/28 11:13:22.368 kid1| 15,2| neighbors.cc(1272) 
peerConnectSucceded: TCP connection to test.de.regify.com/443 succeeded
2023/11/28 11:13:23 kid1| storeLateRelease: released 0 objects


Then when i call curl -k https://test.regify.com/

i get

The requested URL could not be retrieved

And the log has the following:


2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New 
connection on FD 23
2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: 
connection on local=0.0.0.0:443 remote=[::] FD 23 flags=25
2023/11/28 11:15:05.467 kid1| 17,2| QosConfig.cc(125) 
getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1) 
(2) No such file or directory (Destination 192.168.1.132:443, source 
192.168.1.124:60690)
2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(2742) 
httpsSslBumpAccessCheckDone: sslBump action peekneeded for 
local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17
2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(3418) 
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel 
for ssl-bump
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) 
clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; 
last ACL checked: all
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(729) 
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) 
clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; 
last ACL checked: all
2023/11/28 11:15:05.483 kid1| 17,2| FwdState.cc(142) FwdState: 
Forwarding client request local=192.168.1.132:443 
remote=192.168.1.124:60690 FD 11 flags=17, url=192.168.1.132:443
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(316) 
peerSelectDnsPaths: Found sources for '192.168.1.132:443'
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(317) 
peerSelectDnsPaths:   always_direct = DENIED
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(318) 
peerSelectDnsPaths:    never_direct = DENIED
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(324) 
peerSelectDnsPaths:    ORIGINAL_DST = local=192.168.1.124 
remote=192.168.1.132:443 flags=25
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(331) 
peerSelectDnsPaths:        timedout = 0
2023/11/28 11:16:05.433 kid1| 4,2| errorpage.cc(1259) BuildContent: No 
existing error page language negotiated for ERR_CONNECT_FAIL. Using 
default error file.
2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: 
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: 
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.463 kid1| 83,2| client_side.cc(2675) 
clientNegotiateSSL: New session 0x5636c4227330 on FD 11 
(192.168.1.124:60690)
2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1306) 
parseHttpRequest: HTTP Client local=192.168.1.132:443 
remote=192.168.1.124:60690 FD 11 flags=17
2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1307) 
parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: test.regify.com
User-Agent: curl/7.74.0
Accept: */*


----------
2023/11/28 11:16:05.464 kid1| 88,2| client_side_reply.cc(2062) 
processReplyAccessResult: The reply for GET https://test.regify.com/ is 
ALLOWED, because it matched (access_log daemon:/var/log/squid/access.log 
line)
2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(271) sendStartOfMessage: 
HTTP Client local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 
flags=17
2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(272) sendStartOfMessage: 
HTTP Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/4.13
Mime-Version: 1.0
Date: Tue, 28 Nov 2023 10:16:05 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3487
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from proxy
X-Cache-Lookup: NONE from proxy:3128
Via: 1.1 proxy (squid/4.13)
Connection: close


----------
2023/11/28 11:16:05.464 kid1| 20,2| store.cc(985) checkCachable: 
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(895) kick: 
local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17 Connection 
was closed
2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(586) swanSong: 
local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17
2023/11/28 11:16:05.465 kid1| 20,2| store.cc(985) checkCachable: 
StoreEntry::checkCachable: NO: not cachable

I've been reading the squid docs and other internet resources, but am 
failing to figure out why this is not working.

Any clue sticks would be appreciated.

Also appreciated would be advise on where to find this documented.


-- 
Mit Freundlichen Grüßen / Kind regards

Mario Theodoridis

regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238

More information about the squid-users mailing list