
<div dir="ltr"><div dir="ltr"><div class="gmail_default">


<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">Dear Amos,</p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">Thank you for your time and response. I have changed the configuration to the below. I believe the parent proxy is not using SSL/TLS. I do not see the Hello error message any longer ( I hope).  I have not used your proposed localnet as I just saw your email, at the time being, the ACL is quite open as I am still troubleshooting, will tighten it when I am comfortable with a final config.</p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">- for the 'never direct', are you suggesting I use 'never direct deny localnet'?</p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">by the way, my final goal is to enable https traffic through, not really intercept it, by trial and error and reading the mailing list, that config below is what seems to be working for me right now, can not confirm totally as parent proxy is not under my control, nor is the appliance, however from the access.log and system message logs, things look better than earlier.  what is the best resource to understand the peek and splice, any good places other than squid cache main url?</p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">I did get a couple of new errors, have not worked on them, I might have some clues.</p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">  1- <span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">squid[192090]: SECURITY ALERT: Host header forgery detected on local=</span><a href="http://52.138.216.83:443/" target="_blank" style="font-family:Arial,Helvetica,sans-serif;font-size:small">52.138.216.83:443</a><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)"> </span><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">remote=192</span><a href="http://10.8.103.4:1384/" target="_blank" style="font-family:Arial,Helvetica,sans-serif;font-size:small">.168.3.4:1384</a><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)"> </span><span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">FD 50 flags=33 (local IP does not match any domain IP)</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal"><font color="#454545" face="Helvetica Neue"><span style="font-size:12px">       I believe this is covered in <a href="https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery">https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery</a></span></font><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)"><br></p><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">   2- <span style="font-family:Arial,Helvetica,sans-serif;font-size:small;color:rgb(34,34,34)">temporary disabling (Unauthorized) digest from </span>192.168.4.22</p>        wondering if  I should add 'always_direct deny all'  and ' nonhierarchical_direct off'?<br><br><p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">#### <span class="gmail-Apple-converted-space">  </span>Anonymous access to parent proxy</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">#forwarded_for<span class="gmail-Apple-converted-space">  </span>delete</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">#request_header_access Surrogate-Capability deny all</p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">dns_v4_first on</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">cache_peer<span class="gmail-Apple-converted-space">  </span>192.168.4.22<span class="gmail-Apple-converted-space">  </span>parent 9090 0 no-query #sslcapath=/etc/pki/ca-trust/source/anchors/  </p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">acl local-network dstdomain .<a href="http://azcompany.com">azcompany.com</a>   # tighten after finalizng troubleshooting, maybe replace with localnet</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">http_access allow all</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">never_direct deny local-network    # revisit not using DNS for resolution</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">never_direct allow all    </p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">http_port 8080 intercept<span class="gmail-Apple-converted-space">    </span># should I really use intercept in here? can I get away without it</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">https_port 8090 intercept ssl-bump generate-host-certificates=on<span class="gmail-Apple-converted-space">  </span>cert=/etc/squid/ssl_certs/bccaz01CA.pem<span class="gmail-Apple-converted-space">  </span>dynamic_cert_mem_cache_size=16MB #connection-auth=off</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">http_port 8100<span class="gmail-Apple-converted-space">    </span>#forward port not used, only for troubleshooting.</p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB</p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">acl step1 at_step SslBump1</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">acl azure_sites<span class="gmail-Apple-converted-space">  </span>dstdom_regex <a href="http://microsoft.com">microsoft.com</a> <a href="http://azure.com">azure.com</a> <a href="http://azureedge.net">azureedge.net</a> <a href="http://microsoftazurestack.com">microsoftazurestack.com</a> <a href="http://trafficmanager.net">trafficmanager.net</a><span class="gmail-Apple-converted-space">  </span><a href="http://wdcp.microsoft.com">wdcp.microsoft.com</a> <a href="http://wdcpalt.microsoft.com">wdcpalt.microsoft.com</a> <a href="http://updates.microsoft.com">updates.microsoft.com</a></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">acl azure_sites2 dstdom_regex <a href="http://download.microsoft.com">download.microsoft.com</a> <a href="http://msdl.microsoft.com">msdl.microsoft.com</a> <a href="http://crl.microsoft.com">crl.microsoft.com</a> <a href="http://secure.aadcdn.microsoftonline-p.com">secure.aadcdn.microsoftonline-p.com</a></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">ssl_bump peek step1</p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">ssl_bump splice<span class="gmail-Apple-converted-space">  </span>azure_sites azure_sites2 #Avoid bumping Microsoft/Azure related sites</p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">sslproxy_cert_error allow azure_sites azure_sites2     # is there a better way to handle these and log them?</p>

<p class="gmail-p2" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69);min-height:14px"><br></p>

<p class="gmail-p1" style="font-family:"Helvetica Neue";margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;color:rgb(69,69,69)">debug_options<span class="gmail-Apple-converted-space">  </span>ALL,9</p></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 5 Feb 2019 at 09:25, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[ Rules horribly mangled by sending a web page to a plain-text mailing<br>

list. I have fixed some where I replied, but not all. ]<br>

<br>

<br>

On 5/02/19 4:07 am, Walid A. Shaari wrote:<br>

> Hello,<br>

> <br>

> I have a squid proxy, trying to configure it to enforce traffic from a<br>

> private cloud appliance (Azure Stack) to go over to the corporate proxy.<br>

> traffic is mostly https, I see the below errors, note<br>

> that ParentProxy-22 is the parent proxy listening on port 9090.<br>

<br>

<br>

<br>

>  also,<br>

> why in the access logs I have some entries not going to parent proxy <br>

>  (e.g. 1549282865.527 13 192.168.3.10 NONE/200 0<br>

> CONNECT <a href="http://52.138.216.83:443" rel="noreferrer" target="_blank">52.138.216.83:443</a> <<a href="http://52.138.216.83:443/" rel="noreferrer" target="_blank">http://52.138.216.83:443/</a>> - HIER_NONE/- -)<br>

> <br>

<br>

Some transactions do not need server contact. The above "CONNECT" with<br>

raw-IP:port, "NONE" status type, "NONE" peer type and 0 byte size is<br>

what gets logged for the SSL-Bump step-1 interaction when only a TCP SYN<br>

packet has actually happened.<br>

<br>

NP: Each step of SSL-Bump process has a separate log entry with<br>

incrementally more data up to the one with a 'final' result which<br>

instead logs the decrypted transactions or the error.<br>

<br>

<br>

> ### error logs ###Feb 4 15:26:38 azproxy squid[192272]: TCP connection<br>

> to ParentProxy-22/9090 failed <br>

> Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello<br>

> Message on FD 20 <br>

> Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 20:<br>

> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol<br>

> (1/-1/0) <br>

<br>

The OpenSSL library on your proxy machine does not understand the<br>

protocol that it is receiving in the supposedly TLS / HTTPS traffic.<br>

<br>

Usually seeing this on peer connections means the peer is *not* a TLS<br>

explicit proxy, nor HTTPS / TLS origin server. Such things respond in<br>

their actual protocol with an error -> OpenSSL displays that message.<br>

<br>

<br>

...><br>

> cache_peer ParentProxy-22 parent 9090 0 no-query<br>

> sslcapath=/etc/pki/ca-trust/source/anchors/<br>

<br>

Two things of note:<br>

<br>

1) as above, does this peer *actually* support TLS connections on its<br>

port 9090?<br>

 Native TLS connections, not HTTP Upgrade or anything like that.<br>

<br>

2) That sslcapath= is providing an entire set of CA's. Any given server<br>

typically has one certificate, signed by one CA. So it is rare that you<br>

would need an entire set of CA's to be trusted by this proxy.<br>

<br>

For better security you should be able to load the specific CA that peer<br>

uses with sslcafile= instead of the whole path.<br>

<br>

<br>

> acl local-network dstdomain .<a href="http://azcompany.com" rel="noreferrer" target="_blank">azcompany.com</a><br>

> acl everything src <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a><br>

> http_access allow everything<br>

<br>

<br>

These are very deceptive.<br>

<br>

 * "everything" is actually a small sub-set of 'things'.<br>

<br>

 * "local-network" is not necessarily local. Any IP address with<br>

reverse-DNS configured to claim its name is within *.<a href="http://azcompany.com" rel="noreferrer" target="_blank">azcompany.com</a> will<br>

match this ACL regardless of where in the world it actually is.<br>

<br>

<br>

The default squid.conf defines an ACL "localnet" (Local Network) for the<br>

permitted clients subnet.<br>

<br>

The ACL called "all" is provided to match every transaction with a<br>

client IP.<br>

<br>

<br>

> never_direct deny local-network<br>

<br>

<br>

Fine, but why are you waiting until a place (never_direct) where Squid<br>

is unable to wait for results of reverse-DNS lookup?<br>

 That will result in unpredictable non-match occuring whenever DNS TTL<br>

is encountered.<br>

<br>

<br>

> never_direct allow all<br>

> http_port 8080 intercept<br>

> https_port 8090 intercept ssl-bump generate-host-certificates=on<br>

> cert=/etc/squid/ssl_certs/azproxyCA.pem dynamic_cert_mem_cache_size=16MB<br>

> #connection-auth=off<br>

> http_port 8100             #forward port not used.<br>

> <br>

> sslcrtd_program /usr/lib64/squid/security_file_certgen -s<br>

> /var/spool/squid/ssl_db -M 4MB<br>

> acl step1 at_step SslBump1<br>

> ssl_bump peek step1<br>

> ssl_bump bump all<br>

<br>

> tls_outgoing_options /etc/pki/ca-trust/source/anchors/ca.crt<br>

<br>

Squid should be telling you on startup that there is no valid option<br>

named "/etc/pki/ca-trust/source/anchors/ca.crt"<br>

<br>

 tls_outgoing_options directive takes a set of k=v pairs setting the<br>

options just like http(s)_port and cache_peer.<br>

<br>

<br>

<br>

HTH<br>

Amos<br>

_______________________________________________<br>

squid-users mailing list<br>

<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>

<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>

</blockquote></div>