[squid-users] Trusted CA Certificate with ssl_bump

Patrick Chemla patrick.chemla at performance-managers.com
Mon Nov 21 10:44:22 UTC 2016


Hi Alex, and all others

No I have set it for multiple domains, and it works really fine. Again 
many thanks.

But I have a new demand:

Within one of the sites, where squid handles the https connexion then 
communicate with internal VM through http, there is one (at least, maybe 
we will find others), I don't kmow why, but the dev want them http only.

When I come to the menu to this page, the app returns a http:// link to 
squid. Squid encrypts and send a https:// to the browser., but then when 
the user hit the link, somme of the components of the page should stay 
http://, and there the browser detects a https page with http components 
embeded, and block them.

Is there a way to tell squid to let http some link?

My domain is domain.tld:

the browser ask for https://domain.tld

squid decrypt, recognize this domain, according to acl goes to the VM1, 
in http:// mode, not crypted.

The site on VM1, return a page in http:// mode, with all links as http 
too,  and squid send it back crypted to the browser with all links 
embeded in https://

I want a special link on the page http://domain.tld/special/ to stay http.

How I can instruct squid to leave it as it is, but all others?

Thanks

Patrick


Le 17/11/2016 à 20:11, Patrick Chemla a écrit :
>
> Hi Alex, sorry for disturbing, but it works with
>
> https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com 
> cert=/etc/squid/ssl/semplixxxx.com.crt 
> key=/etc/squid/ssl/semplixxxx.com.key
>
> Many, many, many Thanks for valuable help.
>
> Patrick
> Le 17/11/2016 à 19:48, Patrick Chemla a écrit :
>> Hi Alex,
>>
>> I followed the
>>
>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>
>> I am getting errors when trying to connect. What could it be?
>>
>> This is the config: Is there something bad there?
>>
>> ======================================
>> debug_options   ALL,1  33,2 28,9
>>
>> http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com 
>> cert=/etc/squid/ssl/semplixxxx.com.crt 
>> key=/etc/squid/ssl/semplixxxx.com.key
>>
>> cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS 
>> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
>> name=SEMP1
>> cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS 
>> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 
>> name=SEMP2
>>
>> acl w3_semplixxxx dstdomain .semplixxxx.com
>> cache_peer_access SEMP1 allow w3_semplixxxx
>> cache_peer_access SEMP1 deny all
>>
>> http_access allow w3_semplixxxx
>>
>> =====================================
>>
>> $ wget https://www.semplixxxx.com
>> --2016-11-17 19:34:49--  https://www.semplixxxx.com/
>> Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
>> Connexion à www.semplitech.com 
>> (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
>> protocol
>> Incapable d'établir une connexion SSL.
>>
>> Same error with the browser
>> =========================================
>> THis is what I have in access_log file:
>> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE 
>> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE 
>> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>>
>> ===========================================
>> This is what I have in cache.log:
>> 2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) 
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
>> 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: 
>> id=0xf55ca8ed404 query ARP table
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: 
>> id=0xf55ca8ed404 query ARP on each interface (480 found)
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface lo
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:1
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:4
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:5
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:6
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:7
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth2:8
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface eth3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: 
>> id=0xf55ca8ed404 found interface virbr0
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: 
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
>> 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: 
>> id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
>> 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) 
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
>> 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
>> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) 
>> clientProcessRequest: clientProcessRequest: Invalid Request
>> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: 
>> local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 
>> 0x78737acd23c0 checking fast ACLs
>> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
>> access_log daemon:/var/log/squid/access.log
>> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking 
>> (access_log daemon:/var/log/squid/access.log line)
>> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
>> (access_log daemon:/var/log/squid/access.log line) = 1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: 
>> access_log daemon:/var/log/squid/access.log = 1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished: 
>> 0x78737acd23c0 answer ALLOWED for match
>> 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66) 
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
>> 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
>> 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66) 
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
>> 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: 
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>>
>> Thanks for help
>> Patrick
>>
>> Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
>>> Many Thanks Alex. I will try in the next hours and let you if I am 
>>> successful.
>>>
>>> Patrick
>>>
>>>
>>> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>>>
>>>> On 16/11/16 17:33, Patrick Chemla wrote:
>>>>> Thanks for your answers, I am not doing anything illegal, I am 
>>>>> trying to
>>>>> build a performant platform.
>>>>>
>>>>> I have a big server running about 10 different websites.
>>>>>
>>>>> I have on this server virtual machines, each specialized for one-some
>>>>> websites, and squid help me to send the traffic to the destination
>>>>> website on the internal VM according to the URL.
>>>>>
>>>>> Some VMs are paired, so squid will loadbalance the traffic on 
>>>>> group of
>>>>> VMs according to the URL/acls.
>>>>>
>>>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>>>
>>>>> Now, I need to set SSL traffic, and because the domains are 
>>>>> different I
>>>>> need to use different IPs:443 to be able to use different 
>>>>> certificates.
>>>>>
>>>>> I tried many times in the past to make squid working in SSL and never
>>>>> succeed because of so many options, and this question: Does the 
>>>>> traffic
>>>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>>>> nothing illegal.
>>>>>
>>>>> The second question: How to set up the SSL link on squid getting 
>>>>> the SSL
>>>>> request and sending to the backend. Actually the backend can 
>>>>> handle SSL
>>>>> traffic, it's OK for me if I find the way to make squid handle the
>>>>> traffic, according to the acls. squid must decrypt the request, 
>>>>> compute
>>>>> the acls, then re-crypt to send to the backend.
>>>>>
>>>>> The reason I asked not to reencrypt is because of performances. 
>>>>> All this
>>>>> is on the same server, from the host to the VMs and decrypt, the
>>>>> reencrypt, then decrypt will be ressources consumming. But I can 
>>>>> do it
>>>>> like that.
>>>>>
>>>>> Now, do you have any Howto, clear, that will help? I found many on
>>>>> Google and not any gave me the solution working.
>>>>>
>>>>> The other question is about Trusted Certificates. We have on the
>>>>> websites trusted certificates. Should we use the same on the squid?
>>>>>
>>>>> Thanks for appeciate help
>>>>>
>>>>> Patrick
>>>>>
>>>>>
>>>> You are using a reverse proxy/web accelerator setup. Nothing you do
>>>> there will be illegal if you're using it for your own servers! You
>>>> should be able to use HTTP to the backend and just offer HTTPS from
>>>> squid. This will avoid loading the backend with encryption cycles. You
>>>> don't need any certificate generation as AFAIK you already have all 
>>>> the
>>>> certs you need.
>>>>
>>>> See:
>>>>
>>>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>>>
>>>> for starters. You can adapt the wildcard example; if you have specific
>>>> certs for each domain, just listen on a different IP for each 
>>>> domain and
>>>> set up multiple https_port with a different listening IP for each 
>>>> site.
>>>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>>>
>>>> Here's a couple more:
>>>>
>>>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 
>>>>
>>>>
>>>> (I found the above with a simple google for "squid reverse ssl proxy".
>>>> Google is your friend here... )
>>>>
>>>> http://www.squid-cache.org/Doc/config/https_port/
>>>>
>>>> That's as far as my knowledge goes on reverse in Squid, at my site we
>>>> use nginx.But AFAIK if you're doing what I think you're doing that
>>>> should be enough. Squid does have a lot of config parameters, but then
>>>> so does any other fully capable proxy server. Just focus on the parts
>>>> you need for your role and it will be much easier. Specifically ignore
>>>> bump/peek+splice, it's just for forward proxy.
>>>>
>>>> Alex
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list