[squid-users] ssl_bump - peek & splice logging IP rather than server name
Mark Hoare
mark_squid at finito.me.uk
Tue Jan 3 14:27:57 UTC 2017
Sorry, should have included squid version details in original post:
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig’
Cheers
Mark
> On 31 Dec 2016, at 14:37, Mark Hoare <mark_squid at finito.me.uk> wrote:
>
> Hi,
>
> I’m trying to setup policy based routing on a gateway device pointing at a remote squid server to do transparent HTTP & HTTPS proxying with ssl_bump (peek & splice)
>
> After quite a bit of pain getting policy based routing working on the gateway and local port redirection on the squid server, everything appears to be working except the access log still refers to the destination IP address in the TCP_TUNNEL rather than the SNI/TLS server name.
>
> By increasing the debug level I can see that the SNI/TLS details are definitely being obtained during the request processing but for some reason they are not ending up in the access log.
>
> Extract from cache log:
>> 2016/12/31 14:18:01.966 kid1| 83,7| bio.cc(1110) parseV3Hello: Found server name: www.ssllabs.com
>> 2016/12/31 14:18:02.351 kid1| 83,5| support.cc(259) ssl_verify_cb: SSL Certificate signature OK: /C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com
>> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying server domain www.ssllabs.com to certificate name/subjectAltName ssllabs.com
>> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying server domain www.ssllabs.com to certificate name/subjectAltName *.ssllabs.com
>> 2016/12/31 14:18:02.383 kid1| 83,5| PeerConnector.cc(307) serverCertificateVerified: HTTPS server CN: ssllabs.com bumped: local=<squid IP removed>:57790 remote=64.41.200.100:443 FD 14 flags=1
>
> Extract from access log:
>> 1483193882.790 870 <local ip removed> TCP_TUNNEL/200 5620 CONNECT 64.41.200.100:443 - ORIGINAL_DST/64.41.200.100 -
>
> From the output above I would have expected some of the server name info to get into the access log.
>
> Squid config below:
>> debug_options ALL,7
>>
>> http_port 3128
>>
>> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>
>> http_port 3131 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>
>> cache_dir ufs /var/spool/squid 200 16 256
>> coredump_dir /var/spool/squid
>>
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src fc00::/7 # RFC 4193 local private network range
>> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
>>
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>>
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> http_access allow localhost manager
>> http_access deny manager
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> ssl_bump peek all
>> ssl_bump splice all
>>
>> always_direct allow all
>>
>> http_access allow localnet
>> http_access allow localhost
>>
>> http_access deny all
>
>
> Any suggestions gratefully received.
>
> Thanks
>
> Mark
More information about the squid-users
mailing list