<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hello Strudel,<br>
</p>
<p><br>
</p>
<p>Please remove the '<span style="color: rgb(33, 33, 33); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 15.5555562973022px; background-color: rgb(255, 255, 255);">ssl_bump client-first all</span>' directive from your squid.conf because the
'<span style="color: rgb(33, 33, 33); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 15.5555562973022px; background-color: rgb(255, 255, 255);">include "/opt/qlproxy/etc/squid/squid.acl"' already contains '</span><span style="font-size: 12pt;">ssl_bump
server-first all' (or should contain).</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">This file is generated from Web UI of Diladele when you click the "enable ssh filteiring for all sites" settings. By default though it is set to 'off' to comply with legal regulations in some countries.</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">It would also be nice if you could post the contents of it either here or in private e-mail to me not to pollute the overall discussion. </span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">Best regards,</span></p>
<p><span style="font-size: 12pt;">Rafael Akchurin</span></p>
<p><span style="font-size: 12pt;">Diladele B.V.</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> on behalf of apfelstrudel <apfelstrudel@op.pl><br>
<b>Sent:</b> Thursday, October 16, 2014 10:13 AM<br>
<b>To:</b> squid-users@squid-cache.org<br>
<b>Subject:</b> [squid-users] ssl-bump doesn't decrypt https traffic - please help</font>
<div> </div>
</div>
<div>
<div>Hello.</div>
<div>I am trying to get ssl-bump to decrypt https traffic transparently so that I could filter out adult videos from youtube and to globally enforce google safesearch on my network with diladele web safety. I also want to run dansguardian to filter http. I
managed to pass https traffic transparently to squid but ssl-bump doesn't decrypt it. In logs I can see the https websites but in an encrypted form of website's.ip.address:port (45.231.21.56:443 for example) instead of https url (like https://youtube.com).
That means that traffic is still encrypted and because of that, diladele can't filter https. The squid is installed on an eee pc netbook with fedora 20 installed. This machine is also my router and a network gateway. 172.16.34.254 is the ip on which the netbook
"sees" the internal network, which consists of: 1 tp-link router directly connected to the eee. Thas router is connected wirelessly (Wi-Fi antenna) to the second TP-Link router (bridge) in my house. The bridge router is then connected by an ethernet cable
to another router to which my devices finally (phone, tablet, pc, printer) connect. So in summary: My device (PC, tablet, phone) ----> Router (Netgear) ----> TP-Link Bridge Router ------> Router (TP-Link) ----> Network gateway/router (eee pc running fedora
20) with squid installed. With the current configuration dansguardian works (http), diladele web safety works (only http) and the https traffic is passed transparently through squid, but not decrypted:</div>
<div> </div>
<div>172.16.34.253 TCP_MISS/301 848 GET http://pl-pl.facebook.com/ - HIER_DIRECT/31.13.93.97 text/html<br>
172.16.34.254 TCP_MISS/200 50622 CONNECT 2.22.52.26:443 - HIER_DIRECT/2.22.52.26 - <----- this should be https://pl-pl.facebook.com but ssl-bump doesn't decrypt traffic.<br>
</div>
<div>The IP addresses on the beginning of each line are different because http requests go from dansguardian internally. The https requests go directly from my internal network.</div>
<div> </div>
<div>Here's my squid.conf:</div>
<div><br>
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br>
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br>
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br>
acl localnet src fc00::/7 # RFC 4193 local private network range<br>
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>
acl to_localhost dst 127.0.0.1/8<br>
<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br>
<br>
# Deny requests to certain unsafe ports<br>
http_access deny !Safe_ports<br>
<br>
# Deny CONNECT to other than secure SSL ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
# Only allow cachemgr access from localhost<br>
http_access allow localhost manager<br>
http_access deny manager<br>
<br>
</div>
<div>http_access allow localnet<br>
http_access allow localhost<br>
<br>
# And finally deny all other access to this proxy<br>
http_access allow all<br>
http_access allow CONNECT<br>
http_access allow to_localhost<br>
<br>
include "/opt/qlproxy/etc/squid/squid.acl"<br>
<br>
# Squid normally listens to port 3128<br>
# Dansguardian's port:<br>
http_port 3125<br>
# HTTPS ports, required by diladele web safety:<br>
http_port 3126 intercept<br>
https_port 3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem<br>
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem<br>
always_direct allow all<br>
ssl_bump client-first all<br>
<br>
#ceritiface storage manager<br>
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB<br>
<br>
# Uncomment and adjust the following to add a disk cache directory.<br>
#cache_dir ufs /var/spool/squid 100 16 256<br>
<br>
# Leave coredumps in the first cache dir<br>
coredump_dir /var/spool/squid<br>
<br>
refresh_pattern ^ftp: 1440 20% 1008</div>
<div>refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
<br>
# Squid-Diladele integration:<br>
icap_enable on<br>
icap_preview_enable on<br>
icap_preview_size 4096<br>
icap_persistent_connections on<br>
icap_send_client_ip on<br>
icap_send_client_username on<br>
icap_client_username_header X-Client-Username<br>
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod<br>
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod<br>
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"<br>
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"<br>
adaptation_access qlproxy1 deny qlproxy_icap_edomains<br>
adaptation_access qlproxy2 deny qlproxy_icap_edomains<br>
adaptation_access qlproxy2 deny qlproxy_icap_etypes<br>
adaptation_access qlproxy1 allow all<br>
adaptation_access qlproxy2 allow all</div>
<div>#squid shutdown faster<br>
shutdown_lifetime 3 seconds<br>
--------------------------------------------------</div>
<div>And here are my iptables:</div>
<div> </div>
<div>*filter<br>
:INPUT DROP [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
# ssh<br>
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT<br>
# dansguardian<br>
-A INPUT -i p33p1 -p tcp --dport 8080 -j ACCEPT<br>
# squid https<br>
-A INPUT -i p33p1 -p tcp --dport 3128 -j ACCEPT<br>
# 3127 - for intercepted https traffic for Squid<br>
-A INPUT -i p33p1 -p tcp --dport 3127 -j ACCEPT<br>
# squid - allow the redirected trafiic from port 443 to 3128<br>
-A INPUT -m mark --mark 1 -j DROP<br>
# squid - block direct connections to port 3128<br>
-A INPUT -i p33p1 -p tcp --dport 3128 -j REJECT<br>
# connected streams<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
#-A INPUT -j LOG --log-prefix "DROPPED_INPUT: "<br>
COMMIT<br>
*nat<br>
:OUTPUT ACCEPT [0:0]<br>
:PREROUTING ACCEPT [0:0]<br>
:POSTROUTING ACCEPT [0:0]<br>
# all queries go to opendsns familyshield:<br>
-A PREROUTING -p udp -i p33p1 --dport 53 -j DNAT --to-destination 208.67.222.123:53<br>
# redirection of internal network's http traffic to dansguardian:<br>
-A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 80 -j REDIRECT --to-ports 8080<br>
# https redirection to squid</div>
<div>-A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 443 -j REDIRECT --to-ports 3127</div>
<div>#NAT<br>
-A POSTROUTING -s 172.16.34.252/30 -j MASQUERADE<br>
COMMIT<br>
*mangle<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
:POSTROUTING ACCEPT [0:0]<br>
:PREROUTING ACCEPT [0:0]<br>
-A PREROUTING -p tcp -m tcp -i p33p1 --dport 3128 -j MARK --set-mark 1<br>
-A PREROUTING -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT<br>
-A PREROUTING -p tcp --dport 80 -s 172.16.34.253 -j ACCEPT<br>
COMMIT<br>
# Completed</div>
<div>I also tried running squid with the squid -d 10 command but no errors were found:</div>
<div> </div>
<div>2014/10/16 10:08:46 kid1| HTCP Disabled.<br>
2014/10/16 10:08:46 kid1| Squid plugin modules loaded: 0<br>
2014/10/16 10:08:46 kid1| Adaptation support is on<br>
2014/10/16 10:08:46 kid1| Accepting HTTP Socket connections at local=[::]:3125 remote=[::] FD 21 flags=9<br>
2014/10/16 10:08:46 kid1| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3126 remote=[::] FD 22 flags=41<br>
2014/10/16 10:08:46 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9<br>
2014/10/16 10:08:46 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3127 remote=[::] FD 24 flags=41<br>
2014/10/16 10:08:47 kid1| storeLateRelease: released 0 objects</div>
<div>How can I get squid to decrypt https traffic with this configuration? Any help will be much appreciated.</div>
</div>
</div>
</body>
</html>