<div dir="ltr"><div dir="ltr">I located the bug and found a another way to deal with it.</div><div dir="ltr"><br></div><div dir="ltr">The bug is that cache_peer https CONNECT drops the port number<br></div><div dir="ltr"><br></div><div dir="ltr">If you do the compatibility treatment on the back of the agent software, you can solve this problem<br></div><div dir="ltr"><br></div><div dir="ltr">However, it would be best if it was resolved on squid.<br></div><div dir="ltr"><br></div><div>### 0x01 wireshare packet</div><div><br></div><div>1) squid cache_peer https CONNECT packet.</div><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><span class="gmail-s1" style="color:rgb(222,147,95)">0040</span>   d1 d8 <span class="gmail-s1" style="color:rgb(222,147,95)">43</span> 4f 4e 4e <span class="gmail-s1" style="color:rgb(222,147,95)">45</span> <span class="gmail-s1" style="color:rgb(222,147,95)">43</span> <span class="gmail-s1" style="color:rgb(222,147,95)">54</span> <span class="gmail-s1" style="color:rgb(222,147,95)">20</span> <span class="gmail-s1" style="color:rgb(222,147,95)">64</span> 2e <span class="gmail-s1" style="color:rgb(222,147,95)">71</span> <span class="gmail-s1" style="color:rgb(222,147,95)">71</span> <span class="gmail-s1" style="color:rgb(222,147,95)">71</span> 2e   ..CONNECT d.qqq.</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><span class="gmail-s1" style="color:rgb(222,147,95)">0050</span>   <span class="gmail-s1" style="color:rgb(222,147,95)">77</span> <span class="gmail-s1" style="color:rgb(222,147,95)">69</span> 6e <span class="gmail-s1" style="color:rgb(222,147,95)">20</span> <span class="gmail-s1" style="color:rgb(222,147,95)">48</span> <span class="gmail-s1" style="color:rgb(222,147,95)">54</span> <span class="gmail-s1" style="color:rgb(222,147,95)">54</span> <span class="gmail-s1" style="color:rgb(222,147,95)">50</span> 2f <span class="gmail-s1" style="color:rgb(222,147,95)">31</span> 2e <span class="gmail-s1" style="color:rgb(222,147,95)">31</span> 0d 0a <span class="gmail-s1" style="color:rgb(222,147,95)">55</span> <span class="gmail-s1" style="color:rgb(222,147,95)">73</span>   win HTTP/1.1</p></div><div><br></div><div>2) glider verbose log</div><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><span class="gmail-s1" style="color:rgb(222,147,95)">2020</span>/09/28 <span class="gmail-s1" style="color:rgb(222,147,95)">17</span>:19:58 forward.go:118: [forwarder] DIRECT recorded <span class="gmail-s1" style="color:rgb(222,147,95)">1</span> failures, maxfailures: <span class="gmail-s1" style="color:rgb(222,147,95)">0</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><span class="gmail-s1" style="color:rgb(222,147,95)">2020</span>/09/28 <span class="gmail-s1" style="color:rgb(222,147,95)">17</span>:19:58 server.go:98: [http] *.*.*.*:53848 <-> d.qqq.win [c] via DIRECT, error in dial: dial tcp: address d.qqq.win: missing port in address</p></div><div><br></div><div>### 0x02 solution</div><div><br></div><div>Locate the cache_peer code in squid and add the missing port to the CONNETCT function.</div><div><br></div><div>or, you can do the compatibility treatment on the background proxy soft (bad idea)</div><div><br></div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">openwrt <<a href="mailto:openwrt.jp@gmail.com">openwrt.jp@gmail.com</a>> 于2020年9月28日周一 下午1:41写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Yes, I've tried all of these combinations.<div><br></div><div>### 0x00 <span style="color:rgb(80,0,80)">cache_peer no ssl</span></div><div><span style="color:rgb(80,0,80)"><br></span></div><div>> ssl_bump allow all<span style="color:rgb(80,0,80)"><br>> cache_peer 127.0.0.1 parent 3129 0 【no ssl】</span><span style="color:rgb(80,0,80)"><br></span></div><div><span style="color:rgb(80,0,80)"><br></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">curl </span><a href="https://google.com/" rel="noreferrer" target="_blank">http://google.com</a><span style="color:rgb(34,34,34)"> -x http://admin:squid@localhost:3</span><span style="color:rgb(34,34,34)">128 -v  -k   【it is ok】</span><br></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><div><span><span style="color:rgb(34,34,34)">curl </span><a href="https://google.com/" rel="noreferrer" target="_blank">https://google.com</a><span style="color:rgb(34,34,34)"> -x https://admin:squid@localhost:3</span><span style="color:rgb(34,34,34)">128 -v  -k   【Get 502】</span><br></span></div><div></div></span></div><div><span style="color:rgb(80,0,80)"><div><span><div><span><span style="color:rgb(34,34,34)">curl </span><a href="https://google.com/" rel="noreferrer" target="_blank">https://google.com</a><span style="color:rgb(34,34,34)"> -x http://admin:squid@localhost:3</span><span style="color:rgb(34,34,34)">128 -v  -k     【Get 502】</span><br></span></div><div></div></span></div><div></div></span></div><div><span style="color:rgb(80,0,80)"><br></span></div><div><span style="color:rgb(80,0,80)">< HTTP/1.1 502 Bad Gateway<br>< X-Cache: MISS from <a href="http://example.com" target="_blank">example.com</a><br>< Transfer-Encoding: chunked<br>< Connection: keep-alive<span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><br></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">log json:</span></span></div><div><span style="color:rgb(80,0,80)">





<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(181,189,104);background-color:rgb(28,31,33)"><span style="color:rgb(197,200,198)">{ </span>"clientip"<span style="color:rgb(197,200,198)">: </span>"127.0.0.1"<span style="color:rgb(197,200,198)">, </span>"ident"<span style="color:rgb(197,200,198)">: </span>"-"<span style="color:rgb(197,200,198)">, </span>"uname"<span style="color:rgb(197,200,198)">: </span>"admin"<span style="color:rgb(197,200,198)">, </span>"timestamp"<span style="color:rgb(197,200,198)">: </span>"2020-09-28T04:16:28+0000"<span style="color:rgb(197,200,198)">, </span>"verb"<span style="color:rgb(197,200,198)">: </span>"CONNECT"<span style="color:rgb(197,200,198)">, </span>"request"<span style="color:rgb(197,200,198)">: </span>"<a href="http://google.com:443" target="_blank">google.com:443</a>"<span style="color:rgb(197,200,198)">, </span>"httpversion"<span style="color:rgb(197,200,198)">: </span>"HTTP/1.1"<span style="color:rgb(197,200,198)">, </span>"response"<span style="color:rgb(197,200,198)">: </span><span style="color:rgb(222,147,95)">200</span><span style="color:rgb(197,200,198)">, </span>"bytes"<span style="color:rgb(197,200,198)">: </span><span style="color:rgb(222,147,95)">0</span><span style="color:rgb(197,200,198)">, </span>"referer"<span style="color:rgb(197,200,198)">: </span>"-"<span style="color:rgb(197,200,198)">, </span>"agent"<span style="color:rgb(197,200,198)">: </span>"curl/7.47.0"<span style="color:rgb(197,200,198)">, </span>"request_status"<span style="color:rgb(197,200,198)">: </span>"HIER_NONE"<span style="color:rgb(197,200,198)">, </span>"hierarchy_status"<span style="color:rgb(197,200,198)">: </span>"HIER_NONE"<span style="color:rgb(197,200,198)"> }</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(181,189,104);background-color:rgb(28,31,33)"><span style="color:rgb(197,200,198)">{ </span>"clientip"<span style="color:rgb(197,200,198)">: </span>"127.0.0.1"<span style="color:rgb(197,200,198)">, </span>"ident"<span style="color:rgb(197,200,198)">: </span>"-"<span style="color:rgb(197,200,198)">, </span>"uname"<span style="color:rgb(197,200,198)">: </span>"admin"<span style="color:rgb(197,200,198)">, </span>"timestamp"<span style="color:rgb(197,200,198)">: </span>"2020-09-28T04:16:28+0000"<span style="color:rgb(197,200,198)">, </span>"verb"<span style="color:rgb(197,200,198)">: </span>"GET"<span style="color:rgb(197,200,198)">, </span>"request"<span style="color:rgb(197,200,198)">: </span>"<a href="https://google.com/" target="_blank">https://google.com/</a>"<span style="color:rgb(197,200,198)">, </span>"httpversion"<span style="color:rgb(197,200,198)">: </span>"HTTP/1.1"<span style="color:rgb(197,200,198)">, </span>"response"<span style="color:rgb(197,200,198)">: </span><span style="color:rgb(222,147,95)">502</span><span style="color:rgb(197,200,198)">, </span>"bytes"<span style="color:rgb(197,200,198)">: </span><span style="color:rgb(222,147,95)">117</span><span style="color:rgb(197,200,198)">, </span>"referer"<span style="color:rgb(197,200,198)">: </span>"-"<span style="color:rgb(197,200,198)">, </span>"agent"<span style="color:rgb(197,200,198)">: </span>"curl/7.47.0"<span style="color:rgb(197,200,198)">, </span>"request_status"<span style="color:rgb(197,200,198)">: </span>"HIER_NONE"<span style="color:rgb(197,200,198)">, </span>"hierarchy_status"<span style="color:rgb(197,200,198)">: </span>"HIER_NONE"<span style="color:rgb(197,200,198)"> }</span></p></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">### 0x01 </span></span>cache_peer with ssl</div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><div>> ssl_bump allow all<span><br>> cache_peer 127.0.0.1 parent 3129 0  ssk</span><br></div><div><span><br></span></div><div><span><span style="color:rgb(34,34,34)">curl </span><a href="https://google.com/" rel="noreferrer" target="_blank">http://google.com</a><span style="color:rgb(34,34,34)"> -x http://admin:squid@localhost:3</span><span style="color:rgb(34,34,34)">128 -v  -k   【</span>Get 502<span style="color:rgb(34,34,34)">】</span></span></div><div><span><div><span><span style="color:rgb(34,34,34)">curl </span><a href="https://google.com/" rel="noreferrer" target="_blank">https://google.com</a><span style="color:rgb(34,34,34)"> -x https://admin:squid@localhost:3</span><span style="color:rgb(34,34,34)">128 -v  -k   【Get 502】</span><br></span></div><div></div></span></div><div><span><br></span></div><div>





<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< HTTP/1.1 <span style="color:rgb(222,147,95)">503</span> Service Unavailable</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< Server: squid/5.0.4</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< Mime-Version: <span style="color:rgb(222,147,95)">1</span>.0</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< Date: Mon, <span style="color:rgb(222,147,95)">28</span> Sep <span style="color:rgb(222,147,95)">2020</span> <span style="color:rgb(222,147,95)">04</span>:21:00 GMT</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< Content-Type: text/html;<span style="color:rgb(204,102,102)">charset</span>=utf-8</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< Content-Length: <span style="color:rgb(222,147,95)">1649</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)">< X-Squid-Error: ERR_SECURE_CONNECT_FAIL <span style="color:rgb(222,147,95)">71</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33);min-height:14px"><br></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><p>The system returned:</p></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><blockquote <span style="color:rgb(204,102,102)">id</span>=<span style="color:rgb(181,189,104)">"data"</span>></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><pre>(<span style="color:rgb(222,147,95)">71</span>) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"><p>Handshake with SSL server failed: [No Error]</p></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Menlo;color:rgb(197,200,198);background-color:rgb(28,31,33)"></blockquote></p></div></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">### 0x02 how to outgoing https request by </span></span>cache_peer (on squid 5.0.4/Chains proxy)</div><div><br></div><div>Similar features to Charles OR <span style="color:rgb(77,81,86);font-family:arial,sans-serif;font-size:14px">Fiddler. ( open http(s) proxy  on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.)</span></div><div><span style="color:rgb(77,81,86);font-family:arial,sans-serif;font-size:14px"><br></span></div><div><span style="color:rgb(77,81,86);font-family:arial,sans-serif;font-size:14px">1. </span>Fiddler gateway: <a href="https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway" target="_blank">https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway</a></div><div><br></div><div>curl <a href="https://google.com" target="_blank">https://google.com</a> -x <a href="http://squid:3128" target="_blank">http://squid:3128</a> --> outgoing(cache_peer: like Fiddler gateway) --> <a href="http://google.com:443" target="_blank">google.com:443</a></div><div><br></div><div>The cache_peer should be ignore ssl VERIFY. !!! like other software.</div><div><br></div><div>On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.</div><div><br></div><div><span style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"><br></span></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> 于2020年9月28日周一 上午6:48写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 9/27/20 12:07 PM, sec wrote:<br>
<br>
> http_port 3128 ssl-bump ...<br>
<br>
> curl <a href="http://google.com" rel="noreferrer" target="_blank">http://google.com</a> -x https://admin:squid@localhost:3128 -v  -k<br>
<br>
The above two lines do not match AFAICT: You tell curl to use an HTTPS<br>
proxy, but you tell Squid to expect plain HTTP proxy requests.<br>
<br>
Also, please note that if you fix the above problem by moving "https"<br>
from "-x" to the origin server URL, then you will probably face another<br>
problem:<br>
<br>
curl <a href="https://google.com" rel="noreferrer" target="_blank">https://google.com</a> -x http://admin:squid@localhost:3128 -v  -k<br>
<br>
> ssl_bump allow all<br>
<br>
> cache_peer 127.0.0.1 parent 3129 0 ssl<br>
<br>
Squid does not (yet) support "TLS inside TLS": Talking TLS with the<br>
origin server through a cache_peer that also expects a TLS connection.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
</blockquote></div>
</blockquote></div></div>