Re: [squid-users] Call for adaptation after sni peeked
Hi Alex, If I use below squid configuration: ssl_bump peek step1 ssl_bump splice all I would see fake connect request in step 2 as well. I did not check squid version 4 but squid version 3 will send second fake connect in ecap adapter only if we splice step 2 which will be true in above configuration. But I don't want to splice step 2, well not always. I want my ecap adapter to get fake connect in all cases in step 2 so that I can then make a decision on step 2 whether to splice or bump in step 2. In other words at the end of step 1 squid could make a call to adaptation acl (it does not currently) which will help to make decisions based on sni (if available). As per my understanding squid makes call to adaptation acl in following cases: Step 1 - At start of connection but here only ip is available. Step 2 - only when splicing I did not check any further from here because then mostly its too late to bump anyway. I am happy to send following to another group if you can suggest: I made a manual code change for acl adaptation at the end of step 1 and I was able to send fake connect with sni to ecap. I wanted to understand from experts if these changes are incorrect and may causes issues in some cases I don't know about? Thanks, Jatin On Thu., 24 Oct. 2019, 07:55 Alex Rousskov, < rouss...@measurement-factory.com> wrote: > On 10/23/19 3:37 PM, Jatin Bhasin wrote: > > > This question is related to ssl decryption and ecap adaptation call. > > When the ssl connection starts then before it even extracts sni squid > sends > > fakeConnect which comes to ecap as well. > > Yes, this happens during SslBump step1 as described at > https://wiki.squid-cache.org/Features/SslPeekAndSplice > > > > I am using peek in step 1 and after fakeConnect squid extracts the sni, > > but at this point squid does not make another call to ecap. > > According to the above wiki page (and my understanding of how SslBump > should work), Squid should make another adaptation pass during step2. > You may want to make sure that your Squid does not discover some error > _before_ it can start doing eCAP during step2. > > If your eCAP service does not see the second CONNECT (during step2), I > suggest using the latest Squid v4 with the following "minimal" SslBump > configuration: > > ssl_bump peek step1 > ssl_bump splice all > > Does the above work without problems when eCAP is turned off? > > Does the above deliver the second CONNECT to eCAP when it is enabled? > > > > This function in squid is startPeekAndSpliceDone in file > > client_side.cc > > > We should not be discussing code details on squid-users, but the latest > Squid v4 does not have that function AFAICT: > > > $ git grep startPeekAndSpliceDone SQUID_4_8 | wc -l > > 0 > > > Alex. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Call for adaptation after sni peeked
Hi All, This question is related to ssl decryption and ecap adaptation call. When the ssl connection starts then before it even extracts sni squid sends fakeConnect which comes to ecap as well. I am using peek in step 1 and after fakeConnect squid extracts the sni, but at this point squid does not make another call to ecap. This function in squid is startPeekAndSpliceDone in file client_side.cc In this function it only makes a call to acl for ssl bump to check but no call to ecap adaptation checks. I was hoping at this point I can put a call to http->doCallouts which can make the call to ecap adapter and this time we have sni as well? I needed this functionality as I want to make the decision using sni whether to bump the connection or not. Thanks, ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Call for adaptation after sni peeked
Hi All, This question is related to ssl decryption and ecap adaptation call. When the ssl connection starts then before it even extracts sni squid sends fakeConnect which comes to ecap as well. I am using peek in step 1 and after fakeConnect squid extracts the sni, but at this point squid does not make another call to ecap. This function in squid is startPeekAndSpliceDone in file client_side.cc In this function it only makes a call to acl for ssl bump to check but no call to ecap adaptation checks. I was hoping at this point I can put a call to http->doCallouts which can make the call to ecap adapter and this time we have sni as well? I needed this functionality as I want to make the decision using sni whether to bump the connection or not. Thanks, Jatin Bhasin ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid SNI at Step 2
Hi Amos, My client is sending sni. I have checked this. Squid only generates SNI fake connect at step2 if sslbump action is splice. For all other ssl bump actions it does not generate fake connect with sni. Is this a bug or limitation in squid? Do you plan in future to change it? Thanks Jatin On 27 Oct 2015 1:52 am, "Amos Jeffries" <squ...@treenet.co.nz> wrote: > On 27/10/2015 1:34 a.m., Jatin Bhasin wrote: > > Hello, > > > > I am running squid 3.5.10 for bumping transparent SSL connections To > > achieve this I am using following squid configuration for SSL Bumping. > > > > acl nobumpSites ssl::server_name "/etc/squid/allowed_SSL_sites.txt" > > ssl_bump peek step1 all > > ssl_bump peek step2 nobumpSites > > ssl_bump bump step3 nobumpSites > > ssl_bump bump all > > > > > > File "/etc/squid/allowed_SSL_sites.txt" contains www.facebook.com. > > > > On reading documentation I understood that I should see a Fake CONNECT > > request for Facebook.com IP address as below: > > > > TAG_NONE/200 0 CONNECT 17.151.224.13:443 - ORIGINAL_DST/17.151.224.13 > > > > And at Step2 there should be a Fake CONNECT request for SNI > > information extracted. > > Only if SNI is actually sent by the client. It is not guaranteed to be > sent. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid SNI at Step 2
Hi Alex, Thanks. I understand this. I want a mechanism by which squid can send the FAKE connect SNI as HOST request to ecap adapter so that I can decide whether to bump this connection or not. So do you think this will not be possible in current release of squid ? Squid does not generate SNI FAKE CONNECT until we splice at step 2. Do you know that why squid does not generate FAKE CONNECT request for bump and peek actions at step2 ? Thanks, Jatin On Tue, Oct 27, 2015 at 4:20 AM, Alex Rousskov <rouss...@measurement-factory.com> wrote: > On 10/26/2015 06:34 AM, Jatin Bhasin wrote: > >> I am running squid 3.5.10 for bumping transparent SSL connections To >> achieve this I am using following squid configuration for SSL Bumping. >> >> ssl_bump peek step1 all >> ssl_bump peek step2 nobumpSites >> ssl_bump bump step3 nobumpSites >> ssl_bump bump all > > > In the latest Squids, the above config probably does not do what you > want. For nobumpSites, your config is equivalent to: > > ssl_bump peek step1 > ssl_bump peek step2 > ssl_bump bump step3 > > which does not work in most cases -- you cannot bump after peeking at step2. > > For all other sites, you config is equivalent to: > > ssl_bump peek step1 > ssl_bump bump step2 > > which works. > > > If you want to bump everything, then this should work: > > ssl_bump stare all > ssl_bump bump all > > If you want to bump everything other than nobumpSites (which needs SNI), > then start with something like this: > > ssl_bump peek step1 > ssl_bump splice nobumpSites > ssl_bump bump all > > > HTH, > > Alex. > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid SSL Bump Certificates
Hello, I am using squid 3.4.9 with SSL Bump feature. I am using the following https_port directive. https_port 8090 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=Certficate key=Key I am unable to find out where all the certificates are being stored. I was wondering if I could do the following if I am able to find the location where squid stores these certificates: 1) Expiration Dates on the certificates 2) Common name mismatches 3) Self Signed Certificates Also I would like to know if squid checks for Revocation Status (CRL/OCSP) of the certificate. Thanks, ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SslBump Squid - Dropbox client does not work
Hello, I am using squid 3.4.9 and the Dropbox client does not work with SSLBump feature of squid. Dropbox client gives a message that it cannot make a secure connection. Does anyone know fix or workaround or this issue? Thanks, Jatin ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hi Alex,
I think I have found the reason that why the annotation from eCap
adapter NOT being passed to NoteData.cc. But I still need your
suggestion to fix this.
So here is my analysis:
1) In src/acl/NoteData.cc function ACLNoteData::match(HttpRequest *request)
if (request-notes != NULL matchNotes(request-notes.getRaw()))
(This is used when there is note directive in
squid.conf file)
return true;
if (ah != NULL ah-metaHeaders != NULL
matchNotes(ah-metaHeaders.getRaw())) (This is used
when there is adaptation_meta in squid.conf file)
return true;
2) In src/adaptation/ecap/XactionRep.cc function
Adaptation::Ecap::XactionRep::start()
if (ah != NULL) {
// retrying=false because ecap never retries transactions
adaptHistoryId = ah-recordXactStart(service().cfg().key,
current_time, false);
typedef Notes::iterator ACAMLI;
for (ACAMLI i = Adaptation::Config::metaHeaders.begin(); i !=
Adaptation::Config::metaHeaders.end(); ++i) {
const char *v = (*i)-match(request, reply);
if (v) {
if (ah-metaHeaders == NULL)
ah-metaHeaders = new NotePairs();
if (!ah-metaHeaders-hasPair((*i)-key.termedBuf(), v))
ah-metaHeaders-add((*i)-key.termedBuf(), v);
}
}
}
As per the above code ah-metaHeaders will only be populated if
adaptation_meta option is present in squid.conf file.
So in my case ah-metaHeaders is NULL (And when I added
adaptation_meta X-Virus-ID yes all in squid.conf then I could get a
match on my toBump acl and hence my CONNECT transaction was bumped.
But I want to achieve the same behavior using eCap adapter)
Also I changed the squid.conf file for access.log as below:
logformat with_note %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un
%Sh/%a %mt %note %adapt::last_h
And I could see that eCap adapter X-Virus-ID:yes in the access.log
(%adapt::last_h)
So, I think I am very close to pass X-Virus-ID:yes as a meta header.
Can you suggest me how I can do it. (I think it may require a code
change in XactionRep.cc but I am not sure.) Please suggest.
Thanks,
Jatin
On Sat, Oct 11, 2014 at 2:03 PM, Jatin Bhasin jbhasi...@gmail.com wrote:
Hi Alex,
I changed my ACL's a bit to see annotations in access.log file. My web
browser is point to squid port 3127.
So squid.conf is as below: (first two lines are for note logging as
you suggested.)
-
logformat with_note %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un
%Sh/%a %mt %note
access_log /var/log/squid/access.log with_note
adaptation_masterx_shared_names X-Virus-ID
acl toBump note X-Virus-ID yes
acl p3127 myportname 3127
ssl_bump client-first p3127 (Hence all requests will be bumped.)
I made changes to the eCap adapter as you had suggested. But I do not
see any annotations in access.log file.
1412995864.045 7 10.100.249.11 TAG_NONE/200 0 CONNECT
www.bwin.com:443 - HIER_NONE/- - -
1412995867.108 2573 10.100.249.11 TCP_MISS/200 10122 GET
https://www.bwin.com/ - HIER_DIRECT/195.72.134.135 text/html -
Now i I introduce another paramter in the squid.conf file as below:
note X-Virus-ID yes p3127
And I get following in access.log (so this is definitely not coming
from my eCap adapter but because of the note directive above)
1412996265.992 7 10.100.249.11 TAG_NONE/200 0 CONNECT
www.bwin.com:443 - HIER_NONE/- - X-Virus-ID:%20yes%0D%0A
1412996266.159 87 10.100.249.11 TAG_NONE/200 1400 GET
https://www.bwin.com/ - HIER_NONE/- - X-Virus-ID:%20yes%0D%0A
Now, this makes me feel that annotations from my eCap adapter are not
travelling to squid for both CONNECT and GET.
So, would my eCap adapter has to do something else to let squid know
that the annotations its providing is a note.
Thanks,
Jatin
On Sat, Oct 11, 2014 at 2:18 AM, Alex Rousskov
rouss...@measurement-factory.com wrote:
On 10/09/2014 11:57 PM, Jatin Bhasin wrote:
adaptation_masterx_shared_names X-Virus-ID
acl toBump note X-Virus-ID yes
ssl_bump client-first toBump
OK.
My eCap adapter functions which returns yes for the X-Virus-ID are:
=
const libecap::Area Adapter::Xaction::option(const libecap::Name name)
const
{
std::string str = yes;
return libecap::Area(str.data(), str.size());
}
Two bugs here:
* You are returning a pointer to str, which is a temporary, on-stack
storage. Use libecap::Area::FromTempString() instead.
* You are returning yes value for all option names. The return value
should be conditional on name parameter being lequal to
libecap::metaVirusId (X-Virus-ID).
These two bugs may not actually affect you (for several reasons), but
you should fix them anyway.
void
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hi Alex, That will be awesome if that works. I will try this option. Thanks, Jatin On 23 Aug 2014, at 10:24, Alex Rousskov rouss...@measurement-factory.com wrote: On 08/21/2014 07:06 PM, Jatin Bhasin wrote: So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? Given a recent-enough Squid version, an adaptation service can control Squid behavior via the annotations mechanism and the note ACL associated with it. For example, your eCAP adapter can return an X-Bump:yes annotation(**) that Squid can then match using the note ACL. Something along these untested lines: acl note toBump X-Bump yes ssl_bump server-first toBump ssl_bump server-first ... ssl_bump none all This mechanism should be supported for ssl_bump ACLs but I have not tested that claim myself. HTH, Alex. (**) In eCAP terminology, an X-Bump:yes annotation is an adapter transaction option named X-Bump with a yes value. See libecap::Options, which is a parent of libecap::adapter::Xaction.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x-blockVirgin()) from my ecap adapter then squid does print the access denied page which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the access denied page which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin jbhasi...@gmail.com Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying YOU ARE NOT AUTHORISED TO VIEW THIS PAGE then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all Thanks, Jatin On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin jbhasi...@gmail.com wrote: Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x-blockVirgin()) from my ecap adapter then squid does print the access denied page which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the access denied page which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin jbhasi...@gmail.com Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying YOU ARE NOT AUTHORISED TO VIEW THIS PAGE then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] https://weather.yahoo.com redirect loop
Hi, Thanks, for that. It solved for me as well. But does anyone why this loop happens and how does these squid directives resolve the issue? Thanks, Jain On 20 Aug 2014, at 16:16, Amm ammdispose-sq...@yahoo.com wrote: On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
[squid-users] https://weather.yahoo.com redirect loop
Hello All, I am using SSL Bump in transparent mode in squid 3.3.12. And when I browse to https://weather.yahoo.com then it goes in a redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. On checking the developer console I found that response code received for the GET is 301 Moved Permanently. But when I go to the same site direct (without squid in the middle) then it works normally and I see 200 OK for the same GET. Thanks, Jatin
[squid-users] Passing Information up to the eCap adapter
Hello, As I understand currently squid can send client IP address up to the eCap adapter using squid configuration directive *adaptation_send_client_ip.* I needed more information in my eCap adapter so I changed the squid source code to be able to send *Client Port, Destination Address and Destination port* to the eCap adapter. But now my requirement is to be able to pass *source MAC address and destination MAC address* as well to the eCap adapter. But I am not able to understand how I can do it. Can someone please guide me where should I start looking at in squid source code so that the MAC address can be passed up to the eCap adapter. Thanks, Jatin
Re: [squid-users] Passing Information up to the eCap adapter
Hi Antony, Yes I need the source and destination MAC address of the packet which is received by squid (I am happy with that). Also I did think at first that squid would not have access to the source and destination MAC of the packet as you said that it would have been stripped off by the networking stack, but then I saw that squid has acls based on MAC addresses. Please visit below link: http://wiki.squid-cache.org/SquidFaq/SquidAcl * ACL TYPES AVAILABLE * arp: Ethernet (MAC) address matching Seeing this I hope that we have MAC address of the packet and so that I can push that information up to the eCap adapter. Thanks, Jatin On Thu, Jul 10, 2014 at 8:46 PM, Antony Stone antony.st...@squid.open.source.it wrote: On Thursday 10 July 2014 at 12:34:37, Jatin Bhasin wrote: Hello, As I understand currently squid can send client IP address up to the eCap adapter using squid configuration directive *adaptation_send_client_ip.* I needed more information in my eCap adapter so I changed the squid source code to be able to send *Client Port, Destination Address and Destination port* to the eCap adapter. But now my requirement is to be able to pass *source MAC address and destination MAC address* as well to the eCap adapter. But I am not able to understand how I can do it. What do you mean by destination MAC address? So long as you're aware that this will be the MAC address of the Squid proxy, and not the MAC address of the server with the destination IP address, okay, but there's no way for a machine to find out the MAC address of another machine which is not on its own local subnet. That said, I'd be slightly surprised if Squid even knows the MAC addresses (they're likely to be stripped off by the networking stack shortly before it passes the IP packet to Squid), however I'm happy to be corrected on this by someone more familir with its internals than I am. Regards, Antony. -- Normal people think If it ain't broke, don't fix it. Engineers think If it ain't broke, it doesn't have enough features yet. Please reply to the list; please *don't* CC me.
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) But because of firewall rules settings, the only way we can connect to internet is through PROXY2. PROXY1 will not be allowed to connect to internet. So cannot go to internet via PROXY1 and still needs to bump the connection to see the decrypted traffic. So what are my options? Should I be looking towards changing squid code to handle this scenario? Thanks, Jatin On Sun, Jun 8, 2014 at 12:20 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 8/06/2014 10:03 a.m., Jatin Bhasin wrote: Hello, 1) I have to bump the SSL request because I want to pass the decrypted traffic to the eCap adapter so that I can look for viruses in the traffic and block them if found. 2) I cannot inroduce Proxy1 in the client browser. The only option I have is PROXY1 sitting in the middle of Client and PROXY2 and then PROXY1 should decrypt the traffic and send it to the ecap adapter for virus checking and block them. Okay so far so good. Use intercept rules in the PROXY1 machines networking stack *without* the intercept flag in squid.conf. PROXY1 does not have to do any network level un-NAT hacks to process requests destined explicitly to itself or any other HTTP proxy. You may encounter problems getting the decoded traffic back to PROXY2 though. The released Squid versions do not yet generate CONNECT requests for upsream unless one is intercepting port 443 traffic and *bypassing* the ssl-bump. PROXY1 will try to use port 443 HTTPS itself. Amos
[squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, We have a test set up as below: Client SQUID(PROXY1) PROXY2 - SERVER In the above set up Client browser is configured to point to PROXY2. So client sends the CONNECT request to PROXY2. PROXY1 which is running SQUID is transparently detecting this CONNECTION. The goal is that PROXY1 should bump the SSL connection between client and the PROXY2. Hence, I believe that PROXY1 should send the CONNECT request to PROXY2 and then all the data transfers occurs between PROXY1 and PROXY2. PROXY1 should then bump the traffic and send it to client. Is this possible? Please suggest the SQUID(PROXY1) configuration settings to achieve this. Thanks, Jatin
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) PROXY2 is not configured to bump the traffic and I cannot remove it from the set up. 2) PROXY2 is listening on port 3128. I have to intercept proxy port because all the requests are going to PROXY2 on port 3128 and I have to bump it. Currently Client is connecting to PROXY2 and I cannot change configuration on PROXY2 to bump the traffic neither I can remove it from the netwrok setup. So is this all possible? Thanks, Jatin On Sat, Jun 7, 2014 at 11:24 PM, Antony Stone antony.st...@squid.open.source.it wrote: On Saturday 07 June 2014 at 14:16, Jatin Bhasin wrote: Hello, We have a test set up as below: Client SQUID(PROXY1) PROXY2 - SERVER In the above set up Client browser is configured to point to PROXY2. So client sends the CONNECT request to PROXY2. PROXY1 which is running SQUID is transparently detecting this CONNECTION. 1. Why are you using transparent intercept when the client is configured to connect to Proxy2? Why not just let the client connect, and have Proxy1 ignore it? 2. What port number/s are you intercepting? You would normally use transparent intercept on ports 80/443, for example, whereas a client-proxy connection would be on 3128. Why intercept the proxy port, instead of just the HTTP port? The goal is that PROXY1 should bump the SSL connection between client and the PROXY2. What's the purpose of this? Why not just connect from the client to proxy2? Hence, I believe that PROXY1 should send the CONNECT request to PROXY2 and then all the data transfers occurs between PROXY1 and PROXY2. PROXY1 should then bump the traffic and send it to client. Is this possible? Please suggest the SQUID(PROXY1) configuration settings to achieve this. Regards, Antony. -- Black holes are where God divided by zero. - Steven Wright Please reply to the list; please don't CC me.
Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy
Hello, 1) I have to bump the SSL request because I want to pass the decrypted traffic to the eCap adapter so that I can look for viruses in the traffic and block them if found. 2) I cannot inroduce Proxy1 in the client browser. The only option I have is PROXY1 sitting in the middle of Client and PROXY2 and then PROXY1 should decrypt the traffic and send it to the ecap adapter for virus checking and block them. So, client is connecting to Proxy2 with a proxy request - Proxy2 should then make the request and return the content. What's the problem? Yes PROXY2 is returning the content but that's encrypted and I want to see decrypted traffic to look for virus in them. Thanks, Jatin On Sun, Jun 8, 2014 at 1:46 AM, Antony Stone antony.st...@squid.open.source.it wrote: On Saturday 07 June 2014 at 14:33, Jatin Bhasin wrote: Hello, 1) PROXY2 is not configured to bump the traffic and I cannot remove it from the set up. You don't need a bump if the client is configured to use Proxy2 as a proxy. 2) PROXY2 is listening on port 3128. I have to intercept proxy port because all the requests are going to PROXY2 on port 3128 and I have to bump it. Why do you have to bump it? Currently Client is connecting to PROXY2 and I cannot change configuration on PROXY2 to bump the traffic neither I can remove it from the netwrok setup. So, client is connecting to Proxy2 with a proxy request - Proxy2 should then make the request and return the content. What's the problem? So is this all possible? Sorry, I'm still trying to work out not whether it's posible, but why it's necessary. A client configured to use a proxy has been able to make SSL/HTTPS requests for years - way before Squid's bump feature became available. It's only when the proxy (Proxy2 in this case) is configured to intercept traffic in transparent mode that you can't proxy HTTPS requests and have to handle that traffic some other way, but that doesn't appear to be the situation in your case: - the client is configured to use a proxy - Proxy2 is not running in transparent intercept mode so again, what doesn't work, which means you need to introduce Proxy1? Antony. -- Tinned food was developed for the British Navy in 1813. The tin opener was not invented until 1858. Please reply to the list; please don't CC me.
[squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Hello, icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); The above command works fine in squid. But if I run the same command in my eCap adapter I get an error. EPERM (Operation not permitted). Can you please help? Is this related the way dll are handled in linux. Thanks, Jatin
Re: [squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Hello, Thanks for the response. I have to write an application where I have to send icmp pings when I receive certain data in my eCap adapter. But I am stuck at this issue and not able to move forward. I am running squid with cache_effective_user root. What else I would have to do to be able to open socket in my eCap adapter. Thanks, Jatin On Tue, May 6, 2014 at 9:22 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 6/05/2014 11:16 p.m., Jatin Bhasin wrote: Hello, icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); The above command works fine in squid. But if I run the same command in my eCap adapter I get an error. EPERM (Operation not permitted). Can you please help? Is this related the way dll are handled in linux. It is related to the application effective user permissions. The Squid helper program which that code is in requires to be run with root user privileges solely in order to do that. Whereas the main Squid binary running your eCAP library is operating under a protected / unprivileged user account when it processes HTTP traffic. Why are you trying to do ICMP from an eCAP adaptor? Amos
Re: [squid-users] Fwd: Squid/Ecap Adapter unable to open RAW Socket
Thanks I was able to solve this issue by setting up effective user permissions. On Tue, May 6, 2014 at 9:22 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 6/05/2014 11:16 p.m., Jatin Bhasin wrote: Hello, icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); The above command works fine in squid. But if I run the same command in my eCap adapter I get an error. EPERM (Operation not permitted). Can you please help? Is this related the way dll are handled in linux. It is related to the application effective user permissions. The Squid helper program which that code is in requires to be run with root user privileges solely in order to do that. Whereas the main Squid binary running your eCAP library is operating under a protected / unprivileged user account when it processes HTTP traffic. Why are you trying to do ICMP from an eCAP adaptor? Amos
