[squid-users] SSL Bumping CONNECT With A cache_peer
JP
packetlord at gmail.com
Sun Jun 28 10:18:21 UTC 2015
Hello all.
I tried reading all the FAQ's and scoured the rest of the internet for any
configuration examples I can find and I have not seen a working solution
for this.
I have been using squid for a couple of years now to bump SSL traffic with
no issues.
However I have a new environment where an upstream proxy is already in
place and MUST be used.
So I am trying to get squid working with SSL bump where I have to use a
cache_peer.
So here's the environment.
Normal network setup:
Client --> Forefront Threat Manager Gateway/Proxy (TMG) --> Internet
Client is setup to use TMG:8080 to get to internet for all protocols.
Here's my new network chain with squid inserted:
Moving forward, I will abbreviate the Forefront proxy as "TMG"
Client --> Squid 3.5.5 --> TMG --> Internet
And then I set the client to use squid:3128
The problem is the CONNECT tunnel.
Scenario:
Under normal circumstances, the following takes place for a standard
request:
GET http://www.arin.net
This results in a 301 redirect to https://www.arin.net
The client then immediately sends CONNECT www.arin.net:443 to TMG:8080
And the connection is made. Perfectly normal.
Currently, I have configured the client to use squid:3128 for all protocols
How do I bump the CONNECT tunnel?
I have been trying to manipulate the configuration file for days with no
success.
I have settled on the configuration below for now because it allows
unimpeded network traffic.
It does not bump any SSL.
Client is still set to use port 3128 for all protocols, Setting it to use
3129 for https was a failure.
I've tried:
https_port 3128 & 3129
http_port 3128 & 3129
various ssl_bump directives to include peek, stare, bump.
Nothing works.
Here's my usual failure in /var/log/access.log:
1435482419.334 194 192.168.25.2 TCP_MISS/301 616 GET http://www.arin.net/
- FIRSTUP_PARENT/10.210.4.103 text/html
1435482419.337 0 192.168.25.2 TAG_NONE/409 4324 CONNECT
www.arin.net:443 - HIER_NONE/- text/html
After reviewing many packet captures... I think the problem is this:
In order for squid to establish a connection via SSL to arin, squid would
have to send a CONNECT request through the cache_peer.
Squid "never" sends a CONNECT www.arin.net:443 to the cache_peer in any
configuration I have tried, unless, I leave the configuration the way it is
below.
Of course, since the client is only talking to squid on port 3128, no SSL
bumping takes place.
The minute I try to bump port 3128 all SSL stops working.
Again... I can get this to work in 2 minutes with no problems if I didn't
have to also speak to a cache_peer.
Contents of /etc/squid/squid.conf :
acl localnet src 192.168.25.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
cache_effective_user proxy
forwarded_for delete
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
never_direct allow all
cache_peer 192.168.1.5 parent 8080 0 no-query default login=redacted
http_port 3128
host_verify_strict off
sslproxy_cert_sign signTrusted
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_port 3129 intercept ssl-bump capath=/etc/ssl/certs
cert=/etc/ssl/certs/midca.pem key=/etc/ssl/private/midca.key
generate-host-certificates=on
ssl_bump server-first all
ssl_bump bump all
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 40 startup=7 idle=5
cache_dir ufs /var/cache/squid 100 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
I would send pcaps of the failures but then I would have to sanitize them.
Thanks.
-JP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150628/8d24fd44/attachment.html>
More information about the squid-users
mailing list