[squid-users] Have issue with "https_port ssl-bump intercept"

Alex Rousskov rousskov at measurement-factory.com
Fri Aug 10 18:27:57 UTC 2018


On 08/10/2018 12:05 PM, pius wrote:
> I am getting IP address of the client instead of the domain name I requested. 

I suspect you are getting your Squid https_port address
(10.222.17.106:3130) rather than the client IP address (10.222.25.60).
Logging Squid IP instead of the intended server IP feels wrong to me,
but that is not why things do not otherwise "work" in your test.

Your test request is probably not getting through because your
http_access rules (or equivalent) deny the (fake) CONNECT request to
216.58.212.100 (or whatever one of the www.google.com server IPs is in
your environment). Check your access control rules while keeping in mind
that the initial (i.e. step1) fake CONNECT request on an intercepting
https_port has nothing but TCP/IP-level information.


HTH,

Alex.


> I am trying curl -iv https://www.google.com from a client machine
> (10.222.17.106). I am not getting google.com in the access log and getting
> TCP_DENIED. Looks like traffic is blocked before checking the certificate( I
> am not sure ). And HTTP works fine (curl -iv http://www.google.com). I have
> included LOG for from both requests. Please help.
> 
> ##############
> HTTPS REQUEST
> 1533917193.498      0 10.222.25.60 TCP_DENIED/200 0 CONNECT
> 10.222.17.106:3130 - HIER_NONE/- -
> ##############
> HTTP REQUEST
> 1533917208.934     35 10.222.25.60 TCP_MISS/200 11561 GET
> http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html 
> ##############
> 
> 
> 
> 
> ################################################################################
> Here is my squid.conf
> ###############
> http_port 3128
> 
> http_port 0.0.0.0:3129 ssl-bump  \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> https_port 0.0.0.0:3130 ssl-bump intercept \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl ssl_exclude_domains ssl::server_name "/etc/squid/exclude_domains.conf"
> 
> ssl_bump splice localhost
> ssl_bump peek step1 all
> ssl_bump splice ssl_exclude_domains
> ssl_bump stare step2 all
> ssl_bump bump all
> 


More information about the squid-users mailing list