<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class=""><br class=""></div><div class="">Interestingly this seems to work on a http_proxy listener:</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); color: rgb(82, 91, 107); font-family: "JetBrains Mono", monospace;" class="">http_port 0.0.0.0:3129 ssl-bump \<br class=""> <span style="color: rgb(151, 53, 180);" class="">generate-host-certificates</span>=on <span style="color: rgb(151, 53, 180);" class="">dynamic_cert_mem_cache_size</span>=10MB \<br class=""> <span style="color: rgb(151, 53, 180);" class="">cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">key</span>=/etc/squid/ssl/squid.key<br class=""> <span style="color: rgb(181, 190, 206);" class="">#tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key<br class=""></span><span style="color: rgb(181, 190, 206);" class=""><br class=""></span>always_direct allow all<br class="">ssl_bump bump all</pre><div class=""><br class=""></div><div class="">But with https_port, I require tproxy/intercept which if I configure it returns:</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); color: rgb(82, 91, 107); font-family: "JetBrains Mono", monospace;" class="">http_port 0.0.0.0:3128 ssl-bump<span style="color: rgb(181, 190, 206);" class=""><br class=""></span>https_port 0.0.0.0:3129 ssl-bump intercept \<br class=""> <span style="color: rgb(151, 53, 180);" class="">generate-host-certificates</span>=on <span style="color: rgb(151, 53, 180);" class="">dynamic_cert_mem_cache_size</span>=10MB \<br class=""> <span style="color: rgb(151, 53, 180);" class="">cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">key</span>=/etc/squid/ssl/squid.key \<br class=""> <span style="color: rgb(151, 53, 180);" class="">tls-cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">tls-key</span>=/etc/squid/ssl/squid.key</pre><div class=""><div class="">2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory</div><div class="">2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory</div><div class="">2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33</div><div class="">2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33</div><div class="">1614859887.972 0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -</div></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">And:</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); color: rgb(82, 91, 107); font-family: "JetBrains Mono", monospace;" class="">http_port 0.0.0.0:3128 ssl-bump<span style="color: rgb(181, 190, 206);" class=""><br class=""></span>https_port 0.0.0.0:3129 ssl-bump tproxy \<br class=""> <span style="color: rgb(151, 53, 180);" class="">generate-host-certificates</span>=on <span style="color: rgb(151, 53, 180);" class="">dynamic_cert_mem_cache_size</span>=10MB \<br class=""> <span style="color: rgb(151, 53, 180);" class="">cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">key</span>=/etc/squid/ssl/squid.key \<br class=""> <span style="color: rgb(151, 53, 180);" class="">tls-cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">tls-key</span>=/etc/squid/ssl/squid.key</pre><div class=""><br class=""></div></div><div class=""><div class="">FATAL: https_port: TPROXY support in the system does not work.</div></div><div class=""><br class=""></div><div class="">
<meta charset="UTF-8" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class="Apple-interchange-newline">Niels Hofmans<br class=""><br class="">SITE <a href="https://ironpeak.be" class="">https://ironpeak.be</a><br class="">BTW BE0694785660<br class="">BANK BE76068909740795</div>
</div>
<div><br class=""><div class="">On 4 Mar 2021, at 12:21, Niels Hofmans <<a href="mailto:hello@ironpeak.be" class="">hello@ironpeak.be</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class=""><br class=""></div><div class="">I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?</div><div class=""><br class=""></div><div class="">So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:</div><div class=""><br class=""></div><div class=""><div class="">OPTIONS <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/</a> ICAP/1.0</div><div class="">Host: 10.10.0.119:1344</div><div class="">Allow: 206</div><div class=""><br class=""></div><div class="">ICAP/1.0 200 OK</div><div class="">Allow: 200,204</div><div class="">Connection: close</div><div class="">Date: Thu, 04 Mar 2021 11:11:45 GMT</div><div class="">Encapsulated: null-body=0</div><div class="">Methods: REQMOD,REQRESP</div><div class="">Preview: 0</div><div class="">Transfer-Preview: *</div><div class=""><br class=""></div><div class="">CONNECT <a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a> HTTP/1.1</div><div class="">User-Agent: curl/7.64.1</div><div class="">Host: <a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a></div><div class=""><br class=""></div><div class="">REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/</a> ICAP/1.0</div><div class="">Host: 10.10.0.119:1344</div><div class="">Date: Thu, 04 Mar 2021 11:11:23 GMT</div><div class="">Encapsulated: req-hdr=0, null-body=84</div><div class="">Preview: 0</div><div class="">Allow: 204</div><div class=""><br class=""></div><div class="">ICAP/1.0 200 OK</div><div class="">Connection: close</div><div class="">Date: Thu, 04 Mar 2021 11:11:23 GMT</div><div class="">Encapsulated: req-hdr=0, null-body=111</div><div class=""><br class=""></div><div class="">CONNECT //<a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a><b class="">/blog/big-sur-t2rminator/ </b>HTTP/1.1 <<<< here is my bug</div><div class="">Host: <a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a></div><div class="">User-Agent: curl/7.64.1</div><div class=""><br class=""></div><div class="">But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:</div><div class=""><br class=""></div><div class=""><div class="">CONNECT <a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a> HTTP/1.1</div><div class="">User-Agent: curl/7.64.1</div><div class="">Host: <a href="http://ironpeak.be:443/" class="">ironpeak.be:443</a></div><div class=""><br class=""></div><div class="">REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/</a> ICAP/1.0</div><div class="">Host: 10.10.0.119:1344</div><div class="">Date: Thu, 04 Mar 2021 11:19:00 GMT</div><div class="">Encapsulated: req-hdr=0, null-body=84</div><div class="">Preview: 0</div><div class="">Allow: 204</div><div class=""><br class=""></div><div class="">ICAP/1.0 204 No Modifications</div><div class="">Connection: close</div><div class="">Date: Thu, 04 Mar 2021 11:19:00 GMT</div><div class="">Encapsulated: null-body=0</div><div class=""><br class=""></div><div class="">..TLS ciphertext.. <<<<. No more ICAP requests</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Any idea on how I pass -every- sslbumped request to ICAP?</div><div class="">Thank you.</div><div class=""><br class=""></div><div class="">Regards,</div><div class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Niels Hofmans<br class="">SITE <a href="https://ironpeak.be/" class="">https://ironpeak.be</a><br class=""></div>
</div>
<div class=""><br class=""><div class="">On 4 Mar 2021, at 12:01, NgTech LTD <<a href="mailto:ngtech1ltd@gmail.com" class="">ngtech1ltd@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" class="">Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?<div dir="auto" class=""><br class=""></div><div dir="auto" class="">Eliezer</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans <<a href="mailto:hello@ironpeak.be" class="">hello@ironpeak.be</a>>:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class="">Hi guys,<div class=""><br class=""></div><div class="">I’m asking here but since I’m not too comfortable with a mailing list, it’s also on <a href="http://serverfault.com/" target="_blank" rel="noreferrer" class="">serverfault.com</a>: <a href="https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately" target="_blank" rel="noreferrer" class="">https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately</a></div><div class=""><br class=""></div><div class="">I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.</div><div class="">Any ideas?</div><div class=""><br class=""></div><div class="">Config:</div><div class=""><br class=""></div><div class=""><div class="">visible_hostname proxy</div><div class="">forwarded_for delete</div><div class="">via off</div><div class="">httpd_suppress_version_string on</div><div class="">logfile_rotate 0</div><div class="">cache_log stdio:/dev/stdout</div><div class="">access_log stdio:/dev/stdout</div><div class="">cache_store_log stdio:/dev/stdout</div><div class="">dns_v4_first on</div><div class="">cache_dir ufs /cache 100 16 256</div><div class="">pid_filename /cache/squid.pid</div><div class="">mime_table /usr/share/squid/mime.conf</div><div class="">http_port <a href="http://0.0.0.0:3128/" target="_blank" rel="noreferrer" class="">0.0.0.0:3128</a></div><div class="">https_port <a href="http://0.0.0.0:3129/" target="_blank" rel="noreferrer" class="">0.0.0.0:3129</a> \</div><div class=""> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \</div><div class=""> tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key</div><div class="">ssl_bump peek all</div><div class="">ssl_bump bump all</div><div class="">quick_abort_min 0</div><div class="">quick_abort_max 0</div><div class="">quick_abort_pct 95</div><div class="">pinger_enable off</div><div class="">icap_enable on</div><div class="">icap_service_failure_limit -1</div><div class="">icap_service service_req reqmod_precache bypass=0 <a rel="noreferrer" class="">icap://10.10.0.119:1344/</a></div><div class="">icap_preview_enable on</div><div class="">adaptation_access service_req allow all</div><div class="">cache_mem 512 mb</div><div class="">dns_nameservers 1.1.1.1 1.0.0.1</div><div class="">cache_effective_user proxy</div><div class="">sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB</div><div class="">sslcrtd_children 8 startup=1 idle=1</div><div class="">sslproxy_cert_error allow all</div><div class="">http_access allow all</div></div><div class=""><br class=""></div><div class="">Log line HTTPS when it doesn’t work:</div><div class=""><div class="">1614853306.542 40 172.17.0.1 NONE/503 0 CONNECT //<a href="http://ironpeak.be:443/" target="_blank" rel="noreferrer" class="">ironpeak.be:443</a> - HIER_NONE/- -</div><div class=""><br class=""></div><div class=""><div class="">< HTTP/1.1 503 Service Unavailable</div><div class="">< Server: squid</div><div class="">< Mime-Version: 1.0</div><div class="">< Date: Thu, 04 Mar 2021 10:36:05 GMT</div><div class="">< Content-Type: text/html;charset=utf-8</div><div class="">< Content-Length: 1849</div><div class="">< X-Squid-Error: ERR_DNS_FAIL 0</div></div><div class=""><br class=""></div><div class=""><br class=""></div></div><div class="">Log line HTTP when it does work:</div><div class=""><div class=""> -1 1614851916 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div class="">1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8 301 1614853320 -1 1614853320 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a></div><div class="">1614853320.748 302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" target="_blank" rel="noreferrer" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a> - HIER_DIRECT/<a href="http://104.21.60.47/" target="_blank" rel="noreferrer" class="">104.21.60.47</a> text/plain</div></div><div class=""><br class=""></div><div class="">Example CLI command used:</div><div class="">ALL_PROXY="<a href="https://127.0.0.1:3129/" target="_blank" rel="noreferrer" class="">https://127.0.0.1:3129</a>" curl -vvv --proxy-insecure <a href="http://ironpeak.be/" target="_blank" rel="noreferrer" class="">http://ironpeak.be/</a></div><div class=""><br class=""></div><div class="">Command used to start squid:</div><div class=""><pre style="background-color:rgb(255,255,255);color:rgb(82,91,107);font-family:"JetBrains Mono",monospace" class=""><span style="color:rgb(105,159,66)" class="">exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1</span></pre><div class="">Package info:</div></div><div class=""><div class="">Package: squid-openssl</div><div class="">Version: 4.13-5</div></div><div class=""><br class=""></div><div class="">Many thanks!</div><div class=""><div class="">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class="">Regards,<br class="">Niels Hofmans<br class=""><br class="">SITE <a href="https://ironpeak.be/" target="_blank" rel="noreferrer" class="">https://ironpeak.be</a><br class=""></div></div></div></div>_______________________________________________<br class="">
squid-users mailing list<br class="">
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer" class="">squid-users@lists.squid-cache.org</a><br class="">
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank" class="">http://lists.squid-cache.org/listinfo/squid-users</a><br class="">
</blockquote></div>
</div></div><br class=""></div></div></div></div><br class=""></div></body></html>