[squid-users] Forward proxy: TLS connections to server
ninadmnaik
nninad at gmail.com
Wed Feb 21 05:38:17 UTC 2018
Does the "https_port intercept ssl-bump" work only in transparent proxy
scenarios, where the DNAT changes have been applied?
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
Or is it possible to explicitly point to squid proxy in the client and still
use the "https_port intercept ssl_bump"?
Here's the setup we've so far:
Squid 3.5.27
Conf file:
acl localnet src 127.0.0.1/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 5235 # xmpp over ssl
acl SSL_ports port 3130
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl ssl-bump_port myportname 3130
always_direct allow ssl-bump_port # always direct to origin server.
Do not get from cache.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3128
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/pem.certificate/cert.pem
key=/pem.certificate/key.pem cafile=/etc/ssl/cert.pem
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump step2
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/ssl_db -M 4MB
And here's what the client is trying to do:
1. sslSocket.connect("localhost", 3130);
2. sslSocket.getOutputStream.write("CONNECT fcm-xmpp.googleapis.com:5235
HTTP/1.1 Host: CONNECT fcm-xmpp.googleapis.com:5235");
However, squid receives number 1 as a CONNECT. Same when I do: 'telnet
localhost 3130'.
Should the first connect be received with method 'CONNECT'.
Logs:
2018/02/20 23:14:28.050 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
connection on FD 29
2018/02/20 23:14:28.050 kid1| 5,2| TcpAcceptor.cc(295) acceptNext:
connection on local=[::]:3130 remote=[::] FD 29 flags=41
2018/02/20 23:14:28.050 kid1| 33,2| client_side.cc(3943)
httpsSslBumpAccessCheckDone: sslBump needed for local=127.0.0.1:3130
remote=127.0.0.1:50607 FD 16 flags=33 method 3
2018/02/20 23:14:28.050 kid1| 11,2| client_side.cc(2372) parseHttpRequest:
HTTP Client local=127.0.0.1:3130 remote=127.0.0.1:50607 FD 16 flags=33
2018/02/20 23:14:28.050 kid1| 11,2| client_side.cc(2373) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT 127.0.0.1:3130 HTTP/1.1
Host: 127.0.0.1:3130
----------
2018/02/20 23:14:28.051 kid1| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT 127.0.0.1:3130 is ALLOWED; last
ACL checked: all
2018/02/20 23:14:28.051 kid1| 85,2| client_side_request.cc(721)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2018/02/20 23:14:28.051 kid1| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT 127.0.0.1:3130 is ALLOWED; last
ACL checked: all
2018/02/20 23:14:28.095 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.096 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 83,2| client_side.cc(4316)
clientPeekAndSpliceSSL: SSL_accept failed.
2018/02/20 23:14:28.097 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding
client request local=127.0.0.1:3130 remote=127.0.0.1:50607 FD 16 flags=33,
url=127.0.0.1:3130
2018/02/20 23:14:28.097 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths:
Found sources for '127.0.0.1:3130'
2018/02/20 23:14:28.098 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths:
always_direct = ALLOWED
2018/02/20 23:14:28.098 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:
never_direct = DENIED
2018/02/20 23:14:28.098 kid1| 44,2| peer_select.cc(288) peerSelectDnsPaths:
ORIGINAL_DST = local=0.0.0.0 remote=127.0.0.1:3130 flags=1
2018/02/20 23:14:28.098 kid1| 44,2| peer_select.cc(295) peerSelectDnsPaths:
timedout = 0
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list