[squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic
Alex Rousskov
rousskov at measurement-factory.com
Fri Aug 23 13:18:28 UTC 2024
On 2024-08-23 06:29, ngtech1ltd at gmail.com wrote:
> OK so the issue was that:
>
> The http_port was used for ssl bump with intercept
I would not phrase it that way because "bump" is a red herring here. I
would instead say that the issue was that "http_port was used for
intercepted TLS traffic" or "intercepted TLS traffic was directed to
http_port".
> while the only port which can really intercept ssl connections is:
> https_port
Correct (for some definition of "ssl connections").
> so I believe that ...
> When there is http_port and intercept and ssl_bump there should be a
> warning.
When configuration X does not work for use case Y, there are several
scenarios to consider when deciding whether Squid should warn about
configuration X, including these three:
* When configuration X does not work at all, Squid should reject that
configuration as invalid. It is not a warning; it is an error. This is
not the case we are discussing (AFAICT) because "http_port intercept
ssl-bump" does work in some cases.
* When configuration X does not work for use case Y, Squid should reject
that configuration as invalid _if_ Squid can detect that it is being
used for use case Y. This is not the case we are discussing (AFAICT)
because Squid cannot detect (at configuration time) what traffic you
intend to intercept and redirect to a given Squid port: It could be TLS.
It could be plain HTTP. It could be a mix. Squid cannot tell.
* When an unusual configuration X does not work for common use cases,
Squid may warn about it while giving the admin an ability to turn the
warning off (to accommodate admins that utilize that configuration for
some uncommon but valid use cases). One can argue that this is the case
we are discussing: "http_port intercept ssl-bump" configuration in
question is unusual, does not work for common TLS interception cases,
but can be used (AFAICT) to bump traffic between a client and an HTTP
proxy. Quality pull requests (that take this email considerations into
account) are welcome.
HTH,
Alex.
> *From:* NgTech LTD <ngtech1ltd at gmail.com>
> *Sent:* Monday, August 19, 2024 10:48 AM
> *To:* Squid Users <squid-users at lists.squid-cache.org>
> *Subject:* Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic
>
> I am testing Squid 6.10 on Fedora 40 (their package).
> And it seems that Squid is unable to bump clients (ESNI/ECH)?
>
> I had couple iterations of pek stare and bump and I am not sure what is
> the reason for that:
> shutdown_lifetime 3 seconds
> external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10
> children-startup=2 \
> children-idle=2 concurrency=10 %URI %SRC
> /usr/local/bin/squid-conf-url-lookup.rb
> acl whitelist-lookup external whitelist-lookup-helper
> acl ytmethods method POST GET
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC 1918
> local private network (LAN)
> acl localnet src 100.64.0.0/10 <http://100.64.0.0/10> # RFC
> 6598 shared address space (CGN)
> acl localnet src 169.254.0.0/16 <http://169.254.0.0/16> # RFC
> 3927 link-local (directly plugged) machines
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # RFC
> 1918 local private network (LAN)
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC
> 1918 local private network (LAN)
> acl localnet src fc00::/7 # RFC 4193 local private network
> range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny to_localhost
> http_access deny to_linklocal
> acl tubedoms dstdomain .ytimg.com <http://ytimg.com> .youtube.com
> <http://youtube.com> .youtu.be <http://youtu.be>
> http_access allow ytmethods localnet tubedoms whitelist-lookup
> http_access allow localnet
> http_access deny all
> http_port 3128
> http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> tls-key=/etc/squid/ssl/key.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> tls-key=/etc/squid/ssl/key.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem
> tls-key=/etc/squid/ssl/key.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> /var/spool/squid/ssl_db -M 4MB
> sslcrtd_children 5
> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
> acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
> on_unsupported_protocol tunnel foreignProtocol
> on_unsupported_protocol tunnel serverTalksFirstProtocol
> on_unsupported_protocol respond all
> acl monitoredSites ssl::server_name .youtube.com <http://youtube.com>
> .ytimg.com <http://ytimg.com>
> acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com
> acl serverIsBank ssl::server_name .visa.com <http://visa.com>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump bump all
> strip_query_terms off
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> %[un %Sh/%<a %mt %ssl::>sni
> access_log daemon:/var/log/squid/access.log ssl_custom_format
> ##EOF
>
> access.log from before:
> 1724028804.797 486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT
> 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73
> <http://40.126.31.73> - -
> 1724028805.413 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.029 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.030 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.085 57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
> 104.18.72.113:443 <http://104.18.72.113:443> -
> ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - -
> 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT
> 104.18.72.113:443 <http://104.18.72.113:443> -
> ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - -
> 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT
> 104.18.72.113:443 <http://104.18.72.113:443> -
> ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - -
> 1724028806.208 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.213 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.338 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.469 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028806.596 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028807.006 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028807.262 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028808.922 5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT
> 13.107.246.60:443 <http://13.107.246.60:443> -
> ORIGINAL_DST/13.107.246.60 <http://13.107.246.60> - -
> 1724028812.906 8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT
> 104.126.37.171:443 <http://104.126.37.171:443> -
> ORIGINAL_DST/104.126.37.171 <http://104.126.37.171> - -
> 1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT
> 142.250.186.34:443 <http://142.250.186.34:443> -
> ORIGINAL_DST/142.250.186.34 <http://142.250.186.34> - -
> 1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT
> 142.250.184.246:443 <http://142.250.184.246:443> -
> ORIGINAL_DST/142.250.184.246 <http://142.250.184.246> - -
> 1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT
> 216.58.206.65:443 <http://216.58.206.65:443> -
> ORIGINAL_DST/216.58.206.65 <http://216.58.206.65> - -
> 1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT
> 142.250.181.227:443 <http://142.250.181.227:443> -
> ORIGINAL_DST/142.250.181.227 <http://142.250.181.227> - -
> 1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT
> 172.217.16.196:443 <http://172.217.16.196:443> -
> ORIGINAL_DST/172.217.16.196 <http://172.217.16.196> - -
> 1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT
> 142.250.185.238:443 <http://142.250.185.238:443> -
> ORIGINAL_DST/142.250.185.238 <http://142.250.185.238> - -
> 1724028830.336 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028830.781 444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT
> 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73
> <http://40.126.31.73> - -
> 1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT
> 13.107.6.158:443 <http://13.107.6.158:443> - ORIGINAL_DST/13.107.6.158
> <http://13.107.6.158> - -
> 1724028849.443 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028849.698 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028865.261 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028865.779 517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT
> 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73
> <http://40.126.31.73> - -
> 1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT
> 20.42.65.94:443 <http://20.42.65.94:443> - ORIGINAL_DST/20.42.65.94
> <http://20.42.65.94> - -
> 1724028871.179 64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT
> 104.18.10.207:443 <http://104.18.10.207:443> -
> ORIGINAL_DST/104.18.10.207 <http://104.18.10.207> - -
> 1724028871.179 63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT
> 142.250.186.99:443 <http://142.250.186.99:443> -
> ORIGINAL_DST/142.250.186.99 <http://142.250.186.99> - -
> 1724028871.179 64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT
> 142.250.185.170:443 <http://142.250.185.170:443> -
> ORIGINAL_DST/142.250.185.170 <http://142.250.185.170> - -
> 1724028871.308 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028871.731 422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT
> 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73
> <http://40.126.31.73> - -
> 1724028872.486 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028873.477 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028873.745 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028873.902 424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT
> 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73
> <http://40.126.31.73> - -
> 1724028877.056 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT
> 142.250.186.78:443 <http://142.250.186.78:443> -
> ORIGINAL_DST/142.250.186.78 <http://142.250.186.78> - -
> 1724028878.800 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028878.920 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028879.072 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028880.808 7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT
> 104.126.37.145:443 <http://104.126.37.145:443> -
> ORIGINAL_DST/104.126.37.145 <http://104.126.37.145> - -
> 1724028882.468 33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT
> 49.12.59.2:443 <http://49.12.59.2:443> - ORIGINAL_DST/49.12.59.2
> <http://49.12.59.2> - -
> 1724028883.728 6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT
> 52.216.185.251:443 <http://52.216.185.251:443> -
> ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - -
> 1724028883.789 6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT
> 52.216.185.251:443 <http://52.216.185.251:443> -
> ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - -
> 1724028883.797 6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT
> 52.216.185.251:443 <http://52.216.185.251:443> -
> ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - -
> 1724028883.845 6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT
> 52.216.185.251:443 <http://52.216.185.251:443> -
> ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - -
> 1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT
> 185.199.108.153:443 <http://185.199.108.153:443> -
> ORIGINAL_DST/185.199.108.153 <http://185.199.108.153> - -
> 1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT
> 104.126.37.161:443 <http://104.126.37.161:443> -
> ORIGINAL_DST/104.126.37.161 <http://104.126.37.161> - -
> 1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT
> 23.37.37.211:443 <http://23.37.37.211:443> - ORIGINAL_DST/23.37.37.211
> <http://23.37.37.211> - -
> 1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT
> 2.18.140.238:443 <http://2.18.140.238:443> - ORIGINAL_DST/2.18.140.238
> <http://2.18.140.238> - -
> 1724028891.212 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028891.365 152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT
> 142.250.185.138:443 <http://142.250.185.138:443> -
> ORIGINAL_DST/142.250.185.138 <http://142.250.185.138> - -
> 1724028893.885 90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT
> 13.107.246.60:443 <http://13.107.246.60:443> -
> ORIGINAL_DST/13.107.246.60 <http://13.107.246.60> - -
> 1724028900.169 0 192.168.78.15 NONE_NONE/000 0 -
> error:invalid-request - HIER_NONE/- - -
> 1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT
> 52.123.243.197:443 <http://52.123.243.197:443> -
> ORIGINAL_DST/52.123.243.197 <http://52.123.243.197> - -
> 1724028960.494 60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT
> 172.217.16.206:443 <http://172.217.16.206:443> -
> ORIGINAL_DST/172.217.16.206 <http://172.217.16.206> - -
> 1724028960.494 0 192.168.78.15 NONE_NONE/000 0 -
> error:transaction-end-before-headers - HIER_NONE/- - -
>
> Thanks for any help,
>
>
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list