[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Wed Jun 7 09:37:42 UTC 2017

I had a FreeBSD 9.1 bridge (em0, em1) environment,
Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1:
3129)

Squid *3.3.11* ssl bump is OK.

The following is the setting of squid 3.3.11

Squid Cache: Version 3.3.11-20140220-r12672
Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc
/ squid' '--localstatedir = / var / squid' '--datadir = / usr / share /
squid' Enable-icap-client '' --enable-ssl '' --with-pthreads ''
--enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap ''
PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience

Recently in order to allow squid can signing generated sha256 certificates 
, 
upgrade squid to 3.5.24 version.

But ssl bump * is not OK *

Access.log always appears the following message:
1495699856.074      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495699857.720      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.054      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.717      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.060      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.354      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -

*Need to adjust which part of the settings?*

The following is my settings: 

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/squid' '--datadir=/usr/share/squid'
'--enable-icap-client' '--enable-ssl' '--with-pthreads'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap'
'--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
--enable-ltdl-convenience

------------
squid.conf
------------
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all

# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
10MB
sslcrtd_children 5

# sslproxy setting
sslproxy_capath /var/squid/ssl_db/certs
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
#sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cert_error allow all
sslproxy_cert_adapt setValidAfter all

sslproxy_flags DONT_VERIFY_PEER

----------------------------------------
pf.conf
---------------------------------------
#internal interface
int_if = '{em1}'

# Normalization: reassemble fragments resolve or reduce traffic ambiguities.
scrub in all
set skip on lo0

#sslTP rdr setting
rdr_from = 'any'
rdr_to = 'any;
rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 ->
127.0.0.1 port 3129
pass in all no state
pass out all no state
pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any
keep state

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html
Sent from the Squid - Users mailing list archive at Nabble.com.