Re: [squid-users] New server_name acl causes fatal error starting Squid 3.5.4
I have to ask...what version of Squid are you using? On Wed, May 27, 2015 at 1:41 PM, Mike mmone...@2keys.ca wrote: Stanford Prescott stan.prescott at gmail.com writes: Never mind. I figured the acl out. I was using someone else's instructions who accidentally left out the double :: ssl::server_name using just a single :. I am getting the same thing as you except I don't have the mistake you did. I literally copied your line into my config and it's still bombing out. 2015/05/27 14:38:25| FATAL: Invalid ACL type 'ssl::server_name' FATAL: Bungled /etc/squid/squid.conf line 52: acl nobumpSites ssl::server_name .wellsfargo.com Squid Cache (Version 3.5.4): Terminated abnormally. CPU Usage: 0.006 seconds = 0.002 user + 0.004 sys Maximum Resident Size: 24112 KB Page faults with physical i/o: 0 I'm about to just give up on squid..losing my mind. Any ideas? On Wed, May 20, 2015 at 12:36 PM, Stanford Prescott stan.prescott at gmail.com wrote: After a diversion getting SquidClamAV working, i am back to trying to get peek and splice working. I am trying to put together information from previous recommendations I have received. Right now, I can't get the server_name acl working. When I put this in my squid.confacl nobumpSites ssl:server_name .example.com I get a fatal error starting squid using that acl saying the acl is Bungled. Is the form of the acl incorrect? ___ squid-users mailing list squid-users at lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Ssl-bump deep dive (testing)
So I took the advice of those here to get explicit working first, so here's my first attempt. My test environment is Ubuntu 15.04 Server as the squid server with virtualbox running on it with Kali linux as the client. Here's my Squid 3.5.4 configure line: /configure --prefix=/opt --enable-icap-client --with-openssl --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-follow-x-forwarded-for --with-large-files --sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none Full squid.conf: # acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access allow all sslproxy_cert_error allow all sslproxy_cert_error deny all sslproxy_capath /etc/ssl/certs sslproxy_flags DONT_VERIFY_PEER sslproxy_options ALL sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB sslcrtd_children 5 http_port 3129 ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE external_acl_type sni ttl=30 concurrency=10 children-max=20 children-startup=5 %ssl::sni /opt/etc/squid/bumphelper.py acl sni_exclusions external sni acl tcp_level at_step SslBump1 acl client_hello_peeked at_step SslBump2 ssl_bump peek tcp_level all ssl_bump splice client_hello_peeked sni_exclusions ssl_bump bump all logformat mine %a %[ui %[un [%tl] %rm %ru HTTP/%rv %Hs %st %Ss:%Sh %ssl::bump_mode %ssl::sni %ssl::cert_subject access_log syslog:daemon.info mine refresh_pattern -i (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /opt/var # bumphelper.py: # #!/usr/bin/python import sys while True: req = sys.stdin.readline() if not req: break id, sni = req.split() sys.stderr.write('request %r\n' % req) sys.stderr.flush() if sni == 'google.com': # bypass sys.stdout.write('{} OK\n'.format(id)) sys.stdout.flush() else: sys.stdout.write('{} ERR\n'.format(id)) sys.stdout.flush() # The tests: root@kali:~/test# wget -d https://www.google.com ## DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' URI encoding = `UTF-8' --2015-05-28 17:44:31-- https://www.google.com/ Connecting to 192.168.1.6:3129... connected. Created socket 4. Releasing 0x092c6730 (new refcount 0). Deleting unused 0x092c6730. ---request begin--- CONNECT www.google.com:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) ---request end--- proxy responded with: [HTTP/1.1 200 Connection established ] ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: www.google.com Connection: Close Proxy-Connection: Keep-Alive ---request end--- Proxy request sent, awaiting response... ---response begin--- HTTP/1.1 503 Service Unavailable Server: squid/3.5.4 Mime-Version: 1.0 Date: Thu, 28 May 2015 23:44:33 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3899 X-Squid-Error: ERR_SECURE_CONNECT_FAIL 32 Vary: Accept-Language Content-Language: en X-Cache: MISS from analysis Via: 1.1 analysis (squid/3.5.4) Connection: close ---response end--- 503 Service Unavailable URI content encoding = `utf-8' 2015-05-28 17:44:32 ERROR 503: Service Unavailable. access.log entry for the above wget: # May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] CONNECT www.google.com:443 HTTP/1.1 200 0 TAG_NONE:HIER_DIRECT peek www.google.com - May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33 -0600] GET https://www.google.com/ HTTP/1.1 503 4242 TAG_NONE:HIER_NONE - www.google.com - # sudo /opt/sbin/squid -d 1 -N -f /opt/etc/squid/squid.conf ## 2015/05/28 17:44:33| Error negotiating SSL on FD 14: error::lib(0):func(0):reason(0) (5/-1/32) ## I see the same type of thing for apple.com and yahoo.com. I'm assuming this is HSTS, but I could be wrong. MSN however works fine with the above: root@kali:~/test# wget -d https://www.msn.com ## DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' URI encoding = `UTF-8' --2015-05-28 18:24:50-- https://www.msn.com/ Connecting to 192.168.1.6:3129... connected. Created socket 4. Releasing 0x0a6493c0 (new refcount 0). Deleting unused 0x0a6493c0. ---request begin--- CONNECT www.msn.com:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) ---request end--- proxy responded with: [HTTP/1.1 200 Connection established ] ---request begin--- GET / HTTP/1.1
Re: [squid-users] Logformat tag for a specific ACL
Yes, but not to the same log file. Like this: access_log daemon:/var/log/squid/access.log squid !test access_log daemon:/var/log/squid/access_test.log fred test Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Thank Amos, This should be a great feature, for debugging or tag the web filtering (ports, website, mp3, etc) Fo example, actually with many complex rules the return code 403 is not enough explicit, which rules or acl ?, and create a log file for each ACL is not a great solution (but in my case yes :) thank again ) Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.4 OpenBSD workers registration timed out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, after having trouble with rock storage I try to run squid without cache_dir but with workers enabled. I run into the same kidx registration timed out trouble as before [1]. I just enabled workers 2 which works perfectly on a Linux box but fails on OpenBSD. Is there anything OS-specific to consider? Which Information do you need for debugging? In the log I find this: May 28 10:59:22 squid02 squid[12204]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:22 squid02 squid[32101]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:22 squid02 squid[12204]: Service Name: squid May 28 10:59:22 squid02 squid[32101]: Service Name: squid May 28 10:59:22 squid02 squid[12204]: Process ID 12204 May 28 10:59:22 squid02 squid[32101]: Process ID 32101 May 28 10:59:22 squid02 squid[32101]: Process Roles: worker May 28 10:59:22 squid02 squid[12204]: Process Roles: coordinator May 28 10:59:22 squid02 squid[32101]: With 8192 file descriptors available May 28 10:59:22 squid02 squid[12204]: With 8192 file descriptors available May 28 10:59:22 squid02 squid[16324]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:22 squid02 squid[16324]: Service Name: squid May 28 10:59:22 squid02 squid[16324]: Process ID 16324 May 28 10:59:22 squid02 squid[16324]: Process Roles: worker May 28 10:59:22 squid02 squid[16324]: With 32768 file descriptors available May 28 10:59:22 squid02 squid[12204]: Squid plugin modules loaded: 0 May 28 10:59:22 squid02 squid[32101]: Squid plugin modules loaded: 0 May 28 10:59:22 squid02 squid[16324]: Squid plugin modules loaded: 0 May 28 10:59:28 squid02 squid[32101]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:28 squid02 squid[32101]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:28 squid02 squid[32101]: kid2 registration timed out May 28 10:59:28 squid02 squid[16324]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:28 squid02 squid[16324]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:28 squid02 squid[16324]: kid1 registration timed out May 28 10:59:31 squid02 squid[10011]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:31 squid02 squid[10011]: Service Name: squid May 28 10:59:31 squid02 squid[10011]: Process ID 10011 May 28 10:59:31 squid02 squid[10011]: Process Roles: worker May 28 10:59:31 squid02 squid[10011]: With 8192 file descriptors available May 28 10:59:31 squid02 squid[10011]: Squid plugin modules loaded: 0 May 28 10:59:34 squid02 squid[3647]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:34 squid02 squid[3647]: Service Name: squid May 28 10:59:34 squid02 squid[3647]: Process ID 3647 May 28 10:59:34 squid02 squid[3647]: Process Roles: worker May 28 10:59:34 squid02 squid[3647]: With 32768 file descriptors available May 28 10:59:34 squid02 squid[3647]: Squid plugin modules loaded: 0 May 28 10:59:37 squid02 squid[10011]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:37 squid02 squid[10011]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:37 squid02 squid[10011]: kid2 registration timed out May 28 10:59:40 squid02 squid[3647]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:40 squid02 squid[3647]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:40 squid02 squid[3647]: kid1 registration timed out May 28 10:59:40 squid02 squid[14886]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:40 squid02 squid[14886]: Service Name: squid May 28 10:59:40 squid02 squid[14886]: Process ID 14886 May 28 10:59:40 squid02 squid[14886]: Process Roles: worker May 28 10:59:40 squid02 squid[14886]: With 8192 file descriptors available May 28 10:59:40 squid02 squid[14886]: Squid plugin modules loaded: 0 May 28 10:59:43 squid02 squid[11132]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:43 squid02 squid[11132]: Service Name: squid May 28 10:59:43 squid02 squid[11132]: Process ID 11132 May 28 10:59:43 squid02 squid[11132]: Process Roles: worker May 28 10:59:43 squid02 squid[11132]: With 32768 file descriptors available May 28 10:59:43 squid02 squid[11132]: Squid plugin modules loaded: 0 May 28 10:59:46 squid02 squid[14886]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:46 squid02 squid[14886]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:46 squid02 squid[14886]: kid2 registration timed out May 28 10:59:49 squid02 squid[11132]: Closing HTTP port 127.0.0.1:3128 May 28 10:59:49 squid02 squid[11132]: Closing HTTP port 172.19.13.3:3128 May 28 10:59:49 squid02 squid[11132]: kid1 registration timed out May 28 10:59:49 squid02 squid[2527]: Starting Squid Cache version 3.5.4 for x86_64-unknown-openbsd5.7... May 28 10:59:49 squid02 squid[2527]: Service Name: squid May 28 10:59:49 squid02 squid[2527]: Process ID 2527 May 28 10:59:49 squid02 squid[2527]: Process Roles: worker May 28 10:59:49 squid02 squid[2527]: With 8192 file descriptors available May 28
Re: [squid-users] Ssl-bump deep dive (self-signed certs in chain)
Thanks for this AmosI will try and do more experimenting this week with more results. James On Tue, 2015-05-26 at 19:46 +1200, Amos Jeffries wrote: On 26/05/2015 4:26 a.m., James Lay wrote: So following advice and instructions on this page: http://wiki.squid-cache.org/Features/DynamicSslCert I have set up my lab with explicit proxy by exporting http_proxy and https_proxy. After creating the self-signed root CA certificate above and creating the .der file for the client, here are my results: From the squid side: 2015/05/25 10:02:20.161| Using certificate in /opt/etc/squid/certs/SquidCA.pem 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain: Certificate is self-signed, will not be chained I get the below when I don't specify a CA with curl, otherwise when I do I get no error: 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) If that error is displayed by Squid about the clients connection. Then I believe it means the client is attempting to perform TLS authentication to Squid using the CA you installed there. Which is not possible as the CA is supposed to make the client trust Squid generated certs, not the other way around. And from the client side: root@kali:~/test# curl -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: self signed certificate in certificate chain * Closing connection #0 And testing with specifying the .der file: root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v https://mail.slave-tothe-box.net * About to connect() to proxy 192.168.1.9 port 3129 (#0) * Trying 192.168.1.9... * connected * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0) * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443 CONNECT mail.slave-tothe-box.net:443 HTTP/1.1 Host: mail.slave-tothe-box.net:443 User-Agent: curl/7.26.0 Proxy-Connection: Keep-Alive * Easy mode waiting response from proxy CONNECT HTTP/1.1 200 Connection established * Proxy replied OK to CONNECT request * error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs * Closing connection #0 curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/SquidCA.der CApath: /etc/ssl/certs I can confirm that the server is using a bona-fide certificate issued from StartSSL and works, so at this point I'm open to suggestions. Thank you. curl is complaining that the CA chain for the Squid-generted cert has a self-signed CA. This is expected and desired behaviour if the self-signed CA was sent by Squid. The errors only occur when the self-signed CA is not sent by Squid, but using the one installed on the client. For that I believe you need to configure Squid to sign/generate using the intermediate certificate. The self-signed root CA not configured in Squid at all. Like so: A) client Trust DB installed with self-signed root CA squid.conf cert= configured with intermediary CA certificate squid.conf cafile= configured with any other intermediary CA certificates (in order back to root CA, but excluding it). Squid generates per-connection certificate OR: B) client Trust DB installed with self-signed root CA squid.conf cert= configured with self-signed root CA Squid generates per-connection certificate Note that in (B) there is no intermediary certificate at all, and Squid does not emit any CA chain to the client. It works exactly the same way as the globally trusted CA do. But they are contractually obliged to refuse giving out intermediary CA for anyones use, or loose their status as trusted CA. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users