[squid-users] Help with transparent whitelisting proxy on Squid 4.4

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 27 10:31:53 UTC 2019 

On 27/06/19 11:39 am, Jared Fox wrote:
> Hi Amos
> 
> So i have tried the following based on your suggestions, but it is
> still failing and have errors below:
> 
> 1. Switched to a wildcard whitelist instead of single domain
> 2. Updated the logformat to provide more information, see below:
> 3. Add in `--client-requested`, but this made no difference.
>    3a. Add to single ACL, acl domainIsWhitelisted ssl::server_name
> --client-requested cloudtrace.googleapis.com
>    3b. Commented out single record, switched to wildcard
>    3c. Add to wildcard
> 
> Error messages and Logs:
> 
> Access Log:     26/Jun/2019:23:18:38     96 REDACTED 216.58.200.106
> NONE/200 0 CONNECT 216.58.200.106:443 HTTP/1.1 SSL:
> cloudtrace.googleapis.com peek Client(Subject/Tx/Neg/Sup/Cip): -
> TLS/1.0 - TLS/1.2 - Server(Subject/Rx/Neg/Sup/Cip): - TLS/1.2 -
> TLS/1.2 -
> 
> Cache Log:     2019/06/26 23:18:38 kid1| ERROR: negotiating TLS on FD
> 11: error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher
> returned (1/-1/0)
> 

This means the OpenSSL library being used by Squid does not contain any
support for the cipher(s) the server chose to use for this transaction.

They only way I am aware of to avoid it is to upgrade the OpenSSL
library Squid is built against.


> Can you please explain what you mean? What should this changed to so
> that it does work.
> 
>> Please be aware that in your config the ssl::server_name ACL is *not* matching the SNI in your config.
>> - Your ssl_bump rules say "peek all" - so peek happens on the two Hello
>> messages. When the serverHello has been peek'd the real server name is
>> available from the servers own certificate.
> 

To quote the ssl::server_name documentation:

"
# The ACL computes server name(s) using such information sources as
# CONNECT request URI, TLS client SNI, and TLS server certificate
# subject (CN and SubjectAltName). The computed server name(s) usually
# change with each SslBump step, as more info becomes available:
# * SNI is used as the server name instead of the request URI,
# * subject name(s) from the server certificate (CN and
#   SubjectAltName) are used as the server names instead of SNI.
"

That last bullet point is what is/was happening with your original proxy
config.

The "--client-requested" flag overrides that and causes the SNI to be
used in the match even when server cert is known.


> Updated Squid.conf.
> 
> # ===========================
> # Squid 4.7 Config - Work in Progress
> # ===========================
> 
> acl localnet src 10.0.0.0/8                 # Kubernetes VPC CIDR range
> acl SSL_ports port 443                      # HTTPS
> acl Safe_ports port 80                       # HTTP
> acl Safe_ports port 443                     # HTTPS
> acl CONNECT method CONNECT   # Traffic restriction
> acl step1 at_step SslBump1              # Needed by ssl-bump
> 
> # -------------------------------
> # Whitelist the following Domains
> # -------------------------------
> # FQDN - Try to use FQDN
> acl domainIsWhitelisted ssl::server_name accounts.google.com
> 
> # ----------------------------------------------
> # Wildcard
> acl domainIsWhitelisted ssl::server_name --client-requested .googleapis.com
> acl domainIsWhitelisted ssl::server_name --client-requested
> .googleapis.l.google.com
> # -------------------------------
> 
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Passively Intercepted HTTPS Traffic
> https_port 9091 cert=/etc/squid/example.com.cert
> key=/etc/squid/example.com.private ssl-bump intercept
> acl step1 at_step SslBump1
> ssl_bump peek all
> ssl_bump splice domainIsWhitelisted
> ssl_bump terminate all
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> # Logging
> logformat custom1 %tg %6tr %>a %<A %Ss/%03>Hs %<st %rm %ru HTTP/%rv
> SSL: %ssl::>sni %ssl::bump_mode Client(Subject/Tx/Neg/Sup/Cip):
> %ssl::>cert_subject %ssl::>received_hello_version
> %ssl::>negotiated_version %ssl::>received_supported_version
> %ssl::>negotiated_cipher Server(Subject/Rx/Neg/Sup/Cip):
> %ssl::<cert_subject %ssl::<received_hello_version
> %ssl::<negotiated_version %ssl::<received_supported_version
> %ssl::<negotiated_cipher
> access_log daemon:/var/log/squid/access_custom1.log custom1
> 
> # Listen on port 3128 for HTTP Connet method - unused and firewalled off.
> http_port 3128


NP: this is not about CONNECT method. It is about serving up error
pages, FTP listings, and all the icons/scripts/stylesheets etc embedded
in those.

Amos

More information about the squid-users mailing list