[squid-users] Help with transparent whitelisting proxy on Squid 4.4

Jared Fox jared.fox at practiv.com
Tue Jun 25 01:24:28 UTC 2019


Hi Squid-Users

I need your help!

So i have had been using Squid 3.5.20 (installed on Amazon Linux 2)
and its acting as a transparent ssl proxy with whitelist of allowed
addresses. I want to avoid running a mitm proxy and having to add CA
certs to all services/containers etc. Traffic is routed to the squid
instance via a route-table to Interface.

" Issue 1 - upgrade from 3.5.20 to 4.4.4 (squid-4.4-4.amzn2.0.4.x86_64) "

- So my working config below does not work with 4.x but it kind of
does for 3.5.x and its appears that i require the squid-helper package
which doesn't exist for Amazon linux.
- When starting squid it tries to create an ssl database via
security_file_certgen, but this shouldnt be needed as i'm providing a
self-signed certs that doesnt get used in transparent mode but is a
hard dependency in 3.5.

" Errors produced: "

(security_file_certgen)2019/06/25 00:37:57 kid1| ERROR: No
forward-proxy ports configured.
2019/06/25 00:37:57 kid1| ERROR: No forward-proxy ports configured.
2019/06/25 00:37:57 kid1| storeDirWriteCleanLogs: Starting...
: Uninitialized SSL certificate database directory:
/var/spool/squid/ssl_db. To initialize, run "security_file_certgen -c
-s /var/spool/squid/ssl_db".
2019/06/25 00:37:57 kid1|   Finished.  Wrote 0 entries.
2019/06/25 00:37:57 kid1|   Took 0.00 seconds (  0.00 entries/sec).
2019/06/25 00:37:57 kid1| FATAL: mimeLoadIcon: cannot parse internal
URL: http://ip-10-0-60-70.ec2.internal:0/squid-internal-static/icons/silk/image.png
2019/06/25 00:37:57 kid1| Squid Cache (Version 4.4): Terminated abnormally.

" Squid config file contains: "

=======================
acl localnet src 10.0.0.0/8   # Kubernetes VPC CIDR range
acl SSL_ports port 443        # HTTPS
acl Safe_ports port 80        # HTTP
acl Safe_ports port 443       # HTTPS
acl CONNECT method CONNECT    # Traffic restriction
acl step1 at_step SslBump1    # Needed by ssl-bump

# -------------------------------
# Whitelist the following Domains
# -------------------------------

# Shorten whitelist - just for this email / Edited config here
acl domainIsWhitelisted ssl::server_name googleapis.l.google.com
acl domainIsWhitelisted ssl::server_name logging.googleapis.com
acl domainIsWhitelisted ssl::server_name cloudtrace.googleapis.com

# ----------------------------------------------

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Passively Intercepted HTTPS Traffic
https_port 9091 cert=/etc/squid/example.com.cert
key=/etc/squid/example.com.private ssl-bump intercept
acl step1 at_step SslBump1
ssl_bump peek all
ssl_bump splice domainIsWhitelisted
ssl_bump terminate all

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Logging
logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru %ssl::>sni HTTP/%rv
access_log daemon:/var/log/squid/access_custom1.log custom1
access_log udp://127.0.0.1:5140
=======================

" Issue 2 "
- So the reason for the upgrade is that some TLS 1.2 are being blocked
when they should be whitelisted and it depends on the clients used, eg
Curl vs Netty, i believe this maybe due to unsupported tls extensions
but i can prove this as differences via tcpdump are minor.

It this because my configuration above it incorrect.

Kind regards

Jared Fox
DevOps Architect - Practiv


More information about the squid-users mailing list