<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Amos,<div class=""><br class=""></div><div class="">Thank you for getting back to me.</div><div class="">So if ssl-bump is required on the http(s)_port directive, I end up at:</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); color: rgb(82, 91, 107); font-family: "JetBrains Mono", monospace;" class="">http_port 0.0.0.0:3128<br class="">https_port 0.0.0.0:3129 ssl-bump intercept \<br class=""> <span style="color: rgb(151, 53, 180);" class="">generate-host-certificates</span>=on <span style="color: rgb(151, 53, 180);" class="">dynamic_cert_mem_cache_size</span>=10MB \<br class=""> <span style="color: rgb(151, 53, 180);" class="">cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">key</span>=/etc/squid/ssl/squid.key \<br class=""> <span style="color: rgb(151, 53, 180);" class="">tls-cert</span>=/etc/squid/ssl/squid.crt <span style="color: rgb(151, 53, 180);" class="">tls-key</span>=/etc/squid/ssl/squid.key<br class=""><br class="">always_direct allow all<br class="">ssl_bump bump all</pre><div class=""><br class=""></div><div class="">This however ends up with following logs:</div><div class=""><br class=""></div><div class=""><div class="">2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory</div><div class="">2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory</div><div class="">2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33</div><div class="">2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33</div><div class="">1614861463.880 0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -</div></div><div class=""><br class=""></div><div class="">Command to reproduce:</div><div class=""><br class=""></div><div class=""><div class=""> % ALL_PROXY="<a href="http://127.0.0.1:3129" class="">http://127.0.0.1:3129</a>" curl -k -vvv --proxy-insecure -X POST --data 'foo' <a href="https://ironpeak.be/" class="">https://ironpeak.be/</a></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Regards,</div><div class=""><div class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Niels Hofmans<br class=""><br class="">SITE <a href="https://ironpeak.be" class="">https://ironpeak.be</a><br class="">BTW BE0694785660<br class="">BANK BE76068909740795</div>
</div>
<div><br class=""><div class="">On 4 Mar 2021, at 13:25, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" class="">squid3@treenet.co.nz</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 4/03/21 11:36 pm, Niels Hofmans wrote:<br class=""><blockquote type="cite" class="">Hi guys,<br class="">I’m asking here but since I’m not too comfortable with a mailing list, it’s also on <a href="http://serverfault.com" class="">serverfault.com</a> <<a href="http://serverfault.com" class="">http://serverfault.com</a>>: <a href="https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately" class="">https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately</a> <<a href="https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately" class="">https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately</a>><br class="">I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.<br class="">Any ideas?<br class="">Config:<br class="">visible_hostname proxy<br class="">forwarded_for delete<br class="">via off<br class="">httpd_suppress_version_string on<br class="">logfile_rotate 0<br class="">cache_log stdio:/dev/stdout<br class="">access_log stdio:/dev/stdout<br class="">cache_store_log stdio:/dev/stdout<br class="">dns_v4_first on<br class="">cache_dir ufs /cache 100 16 256<br class="">pid_filename /cache/squid.pid<br class="">mime_table /usr/share/squid/mime.conf<br class="">http_port 0.0.0.0:3128<br class="">https_port 0.0.0.0:3129 \<br class=""> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \<br class=""> tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key<br class=""></blockquote><br class=""><br class="">Neither of these Squid listening ports do SSL-Bump (aka. interception of TLS) in any way.<br class=""><br class="">The first receives normal HTTP forward/explicit proxy traffic over TCP.<br class=""><br class="">The second receives normal HTTP forward/explicit proxy traffic over TLS (aka "TLS explicit proxy"). Not to be confused with HTTPS (https:// URLs).<br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">ssl_bump peek all<br class="">ssl_bump bump all<br class="">quick_abort_min 0<br class="">quick_abort_max 0<br class="">quick_abort_pct 95<br class="">pinger_enable off<br class="">icap_enable on<br class="">icap_service_failure_limit -1<br class="">icap_service service_req reqmod_precache bypass=0 <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/</a><br class="">icap_preview_enable on<br class="">adaptation_access service_req allow all<br class="">cache_mem 512 mb<br class="">dns_nameservers 1.1.1.1 1.0.0.1<br class="">cache_effective_user proxy<br class="">sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB<br class="">sslcrtd_children 8 startup=1 idle=1<br class="">sslproxy_cert_error allow all<br class="">http_access allow all<br class="">Log line HTTPS when it doesn’t work:<br class="">1614853306.542 40 172.17.0.1 NONE/503 0 CONNECT //<a href="http://ironpeak.be:443" class="">ironpeak.be:443</a> - HIER_NONE/- -<br class=""></blockquote><br class="">This is a https:// request which the client is tunneling (CONNECT) through a forward/explicit proxy.<br class=""><br class=""><br class=""><blockquote type="cite" class="">< HTTP/1.1 503 Service Unavailable<br class="">< Server: squid<br class="">< Mime-Version: 1.0<br class="">< Date: Thu, 04 Mar 2021 10:36:05 GMT<br class="">< Content-Type: text/html;charset=utf-8<br class="">< Content-Length: 1849<br class="">< X-Squid-Error: ERR_DNS_FAIL 0<br class="">Log line HTTP when it does work:<br class=""> -1 1614851916 text/plain 60/60 GET <a href="http://ironpeak.be/blog/big-sur-t2rminator/" class="">http://ironpeak.be/blog/big-sur-t2rminator/</a> <br class=""></blockquote><br class=""><br class="">As you can see this is *not* an HTTPS (https://) request. It is a normal HTTP (http://) request sent to a proxy over TLS - which is what your port 3129 is expecting.<br class=""><br class=""><br class="">Amos<br class="">_______________________________________________<br class="">squid-users mailing list<br class=""><a href="mailto:squid-users@lists.squid-cache.org" class="">squid-users@lists.squid-cache.org</a><br class="">http://lists.squid-cache.org/listinfo/squid-users<br class=""></div></div></div><br class=""></div></div></body></html>