[squid-users] site opens only without ssl bump

Majed Zouhairy m_zouhairy at ckta.by
Thu Nov 3 14:17:17 UTC 2022 

here is the log:

1667471160.808     77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667471161.771   1280 192.168.2.5 TCP_TUNNEL/200 3810944 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   5387 192.168.2.5 TCP_TUNNEL/200 5660 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   5146 192.168.2.5 TCP_TUNNEL/200 7630 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667471165.954   6320 192.168.2.5 TCP_TUNNEL/200 6714 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667471165.956   5727 192.168.2.5 TCP_TUNNEL/200 17517 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667471165.956   6198 192.168.2.5 TCP_TUNNEL/200 1323841 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667471165.956   5615 192.168.2.5 TCP_TUNNEL/200 4962 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667484144.825      2 192.168.2.5 TCP_HIT/200 5394 GET 
http://config.avtunproxy.nl/v5/update.bin - HIER_NONE/- 
application/octet-stream
1667484144.874     33 192.168.2.5 TCP_MISS/200 1439 GET 
http://rand.avtunproxy.nl/v1/cms? - HIER_DIRECT/80.249.80.83 application/cms
1667484144.888      1 192.168.2.5 TCP_HIT/200 1847 GET 
http://dev.avast.nl/ca/crl/devca.crl - HIER_NONE/- application/x-pkcs7-crl
1667484144.896      8 192.168.2.5 NONE_NONE/200 0 CONNECT ncis.nl:443 - 
HIER_NONE/- -
1667484144.910      1 192.168.2.5 TCP_HIT/200 966 GET 
http://dev.avast.nl/ca/crl/rootca.crl - HIER_NONE/- application/x-pkcs7-crl
1667484144.940      1 192.168.2.5 TCP_HIT/200 894 GET 
http://dev.avast.nl/ca/crl/stend-gossuok-root-2019.crl - HIER_NONE/- 
application/x-pkcs7-crl
1667484144.968      0 192.168.2.5 TCP_HIT/200 1612 GET 
http://dev.avast.nl/ca/crl/stend-gossuok-sub-2019.crl - HIER_NONE/- 
application/x-pkcs7-crl
1667484145.007      6 192.168.2.5 TCP_REFRESH_MODIFIED/301 865 GET 
http://ncis.nl/wp-content/uploads/certificates/pki/kuc.crl - 
HIER_DIRECT/185.227.96.82 text/html
1667484145.058     17 192.168.2.5 NONE_NONE/200 0 CONNECT ncis.nl:443 - 
HIER_NONE/- -
1667484145.093      2 192.168.2.5 TCP_HIT/200 2128 GET 
http://dev.avast.nl/ca/cert/rootca.cer - HIER_NONE/- application/pkix-cert
1667484145.102      8 192.168.2.5 TCP_REFRESH_MODIFIED/301 865 GET 
http://ncis.nl/wp-content/uploads/certificates/pki/ruc.crl - 
HIER_DIRECT/185.227.96.82 text/html
1667484145.104      0 192.168.2.5 TCP_HIT/200 1366 GET 
http://dev.avast.nl/ca/cert/stend-gossuok-root-2019.cer - HIER_NONE/- 
application/pkix-cert
1667484145.134     18 192.168.2.5 TCP_REFRESH_MODIFIED/301 533 GET 
http://cdn.nlpost.nl/storage/file-manager/sertifikaty/kuc_62BNcDsS.cer - 
HIER_DIRECT/212.98.164.68 text/html
1667484145.175     16 192.168.2.5 NONE_NONE/200 0 CONNECT 
cdn.nlpost.nl:443 - HIER_NONE/- -
1667484145.464      9 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667484146.685   1220 192.168.2.5 TCP_TUNNEL/500 3813629 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -
1667484146.701      9 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - 
HIER_NONE/- -
1667484172.449      9 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484172.451      4 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484173.515      7 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484173.527      8 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484175.822    318 192.168.2.5 NONE_NONE/200 0 CONNECT 
autoupdate.geo.opera.com:443 - HIER_DIRECT/82.145.216.19 -
1667484178.545      8 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484178.570      5 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484178.571      5 192.168.2.5 NONE_NONE/200 0 CONNECT 
test-auth.ais.ckko.nl:443 - HIER_NONE/- -
1667484205.078  60019 192.168.2.5 TCP_TUNNEL/200 5091 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667484205.525  60629 192.168.2.5 TCP_TUNNEL/200 1327955 CONNECT 
ncis.nl:443 - HIER_DIRECT/185.227.96.82 -
1667484205.532  60357 192.168.2.5 TCP_TUNNEL/200 17517 CONNECT 
cdn.nlpost.nl:443 - HIER_DIRECT/212.98.164.68 -
1667484206.373      1 192.168.2.5 TCP_HIT/200 1203 GET 
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl - HIER_NONE/- 
application/pkix-crl
1667484206.429     31 192.168.2.5 TCP_MISS/304 430 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? 
- HIER_DIRECT/93.184.221.240 -
1667484206.474     25 192.168.2.5 TCP_MISS/304 430 GET 
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? 
- HIER_DIRECT/93.184.221.240 -
1667484206.752  60050 192.168.2.5 TCP_TUNNEL/200 7630 CONNECT 
ckko.nl:443 - HIER_DIRECT/178.172.163.30 -


i added the following line to squid:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a 
%mt %err_code/%err_detail

with either

ssl_bump peek all
ssl_bump splice all

or

ssl_bump peek tls_s1_connect
ssl_bump splice all

it still does not work.


On 11/3/22 16:05, Alex Rousskov wrote:
> On 11/3/22 05:43, Majed Zouhairy wrote:
> 
>> i have 2 proxies, one with ssl bump and one without, there is a 
>> internal site that opens only on the no ssl bump proxy.
>>
>> on the ssl bump proxy it displays:
> 
> 
> What does Squid say in access.log for this problematic request? Please 
> configure Squid to log %err_code/%err_detail before answering this 
> question. For example:
> 
> logformat xsquid ...your regular %codes... %err_code/%err_detail
> access_log ... xsquid
> 
> 
> 
> Does the site works if you temporary replace your ssl_bump rules with:
> 
> ssl_bump peek all
> ssl_bump splice all
> 
> 
> Does the site works if you temporary replace your ssl_bump rules with:
> 
> ssl_bump peek tls_s1_connect
> ssl_bump splice all
> 
> 
> Alex.
> 
> 
> 
> 
>> Не удается получить доступ к сайтуВеб-страница по адресу (i was unable 
>> to gain access to website:) 
>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
>> ERR_TUNNEL_CONNECTION_FAILED
>>
>> the site needs special configurations to run:
>> it needs a local proxy to run, avtunproxy.nl
>> in the internet explorer settings:
>> the second box in the proxy settings needs to be checked called the 
>> "use the scenario for automatic configuration"
>> in it, the proxy address is plugged
>> http://127.0.0.1:10224/proxy.pac
>>
>> my bump settings are as follows:
>>
>>
>> acl     tls_s1_connect        at_step SslBump1
>> acl     tls_s2_client_hello     at_step SslBump2
>> acl     tls_s3_server_hello     at_step SslBump3
>>
>> # define acls for sites that must not be actively bumped
>>
>> acl     tls_allowed_hsts        ssl::server_name             
>> .akamaihd.net
>> acl     tls_allowed_hsts        ssl::server_name             
>> .proxy.ckko.nl
>> acl     tls_server_is_bank         ssl::server_name 
>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>> acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank
>>
>> # TLS/SSL bumping steps
>>
>> ssl_bump         peek                tls_s1_connect         # peek at 
>> TLS/SSL connect data
>> ssl_bump         splice                 tls_to_splice        # splice 
>> some: no active bump
>> ssl_bump         stare                 all                    # 
>> stare(peek) at server
>>                                                          # properties 
>> of the webserver
>> ssl_bump         bump
>>
>> contents of the 
>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>
>> .ckko.nl
>> .ias.ckko.nl
>> .test-auth.ias.ckko.nl
>> .config.avtunproxy.nl
>> .rand.avtunproxy.nl
>> .avast.nl
>> .dev.avast.nl
>> .ncis.nl
>> .cdn.nlpost.nl
>>
>> those are all the sites that are logged in on the non ssl bump proxy 
>> when ias.ckko.nl is accessed
>>
>> despite all this configuration, the site does not open. in ufdbguard 
>> every site from the user is a pass.
>>
>> in avtunproxy log :
>>
>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
>> https://ckko.nl/upload/certificates/8.crl
>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
>> read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
>> connection was forcibly closed by the remote host.
>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
>> read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing 
>> connection was forcibly closed by the remote host.
>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] 
>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] 
>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] 
>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] 
>> [addr=127.0.0.1:10544] GET /api/v2/log
>>
>>
>> what is the solution?
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list