[squid-users] ssl-bump doesn't decrypt https traffic - please help

Rafael Akchurin rafael.akchurin at diladele.com
Thu Oct 16 10:21:56 UTC 2014


Hello Strudel,


Please remove the 'ssl_bump client-first all' directive from your squid.conf because the 'include "/opt/qlproxy/etc/squid/squid.acl"' already contains 'ssl_bump server-first all' (or should contain).


This file is generated from Web UI of Diladele when you click the "enable ssh filteiring for all sites" settings. By default though it is set to 'off' to comply with legal regulations in some countries.


It would also be nice if you could post the contents of it either here or in private e-mail to me not to pollute the overall discussion.


Best regards,

Rafael Akchurin

Diladele B.V.



________________________________
From: squid-users <squid-users-bounces at lists.squid-cache.org> on behalf of apfelstrudel <apfelstrudel at op.pl>
Sent: Thursday, October 16, 2014 10:13 AM
To: squid-users at squid-cache.org
Subject: [squid-users] ssl-bump doesn't decrypt https traffic - please help

Hello.
I am trying to get ssl-bump to decrypt https traffic transparently so that I could filter out adult videos from youtube and to globally enforce google safesearch on my network with diladele web safety. I also want to run dansguardian to filter http. I managed to pass https traffic transparently to squid but ssl-bump doesn't decrypt it. In logs I can see the https websites but in an encrypted form of website's.ip.address:port (45.231.21.56:443 for example) instead of https url (like https://youtube.com). That means that traffic is still encrypted and because of that, diladele can't filter https. The squid is installed on an eee pc netbook with fedora 20 installed. This machine is also my router and a network gateway. 172.16.34.254 is the ip on which the netbook "sees" the internal network, which consists of: 1 tp-link router directly connected to the eee. Thas router is connected wirelessly (Wi-Fi antenna) to the second TP-Link router (bridge) in my house. The bridge router is then connected by an ethernet cable to another router to which my devices finally (phone, tablet, pc, printer) connect. So in summary:  My device (PC, tablet, phone) ----> Router (Netgear)  ----> TP-Link Bridge Router ------> Router (TP-Link) ----> Network gateway/router (eee pc running fedora 20) with squid installed. With the current configuration dansguardian works (http), diladele web safety works (only http) and the https traffic is passed transparently through squid, but not decrypted:

172.16.34.253 TCP_MISS/301 848 GET http://pl-pl.facebook.com/ - HIER_DIRECT/31.13.93.97 text/html
172.16.34.254 TCP_MISS/200 50622 CONNECT 2.22.52.26:443 - HIER_DIRECT/2.22.52.26 -  <----- this should be https://pl-pl.facebook.com but ssl-bump doesn't decrypt traffic.

The IP addresses on the beginning of each line are different because http requests go from dansguardian internally. The https requests go directly from my internal network.

Here's my squid.conf:

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl to_localhost dst 127.0.0.1/8

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow all
http_access allow CONNECT
http_access allow to_localhost

include "/opt/qlproxy/etc/squid/squid.acl"

# Squid normally listens to port 3128
# Dansguardian's port:
http_port 3125
# HTTPS ports, required by diladele web safety:
http_port 3126 intercept
https_port 3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
always_direct allow all
ssl_bump client-first all

#ceritiface storage manager
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 1008
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Squid-Diladele integration:
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
#squid shutdown faster
shutdown_lifetime 3 seconds
--------------------------------------------------
And here are my iptables:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# ssh
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# dansguardian
-A INPUT -i p33p1 -p tcp --dport 8080 -j ACCEPT
# squid https
-A INPUT -i p33p1 -p tcp --dport 3128 -j ACCEPT
# 3127 - for intercepted https traffic for Squid
-A INPUT -i p33p1 -p tcp --dport 3127 -j ACCEPT
# squid - allow the redirected trafiic from port 443 to 3128
-A INPUT -m mark --mark 1 -j DROP
# squid - block direct connections to port 3128
-A INPUT -i p33p1 -p tcp --dport 3128 -j REJECT
# connected streams
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -j LOG --log-prefix "DROPPED_INPUT: "
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# all queries go to opendsns familyshield:
-A PREROUTING -p udp -i p33p1 --dport 53 -j DNAT --to-destination 208.67.222.123:53
# redirection of internal network's http traffic to dansguardian:
-A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 80 -j REDIRECT --to-ports 8080
# https redirection to squid
-A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 443 -j REDIRECT --to-ports 3127
#NAT
-A POSTROUTING -s 172.16.34.252/30 -j MASQUERADE
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i p33p1 --dport 3128 -j MARK --set-mark 1
-A PREROUTING -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT
-A PREROUTING -p tcp --dport 80 -s 172.16.34.253 -j ACCEPT
COMMIT
# Completed
I also tried running squid with the squid -d 10 command but no errors were found:

2014/10/16 10:08:46 kid1| HTCP Disabled.
2014/10/16 10:08:46 kid1| Squid plugin modules loaded: 0
2014/10/16 10:08:46 kid1| Adaptation support is on
2014/10/16 10:08:46 kid1| Accepting HTTP Socket connections at local=[::]:3125 remote=[::] FD 21 flags=9
2014/10/16 10:08:46 kid1| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3126 remote=[::] FD 22 flags=41
2014/10/16 10:08:46 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9
2014/10/16 10:08:46 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3127 remote=[::] FD 24 flags=41
2014/10/16 10:08:47 kid1| storeLateRelease: released 0 objects
How can I get squid to decrypt https traffic with this configuration? Any help will be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141016/217caa06/attachment-0001.html>


More information about the squid-users mailing list