Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Thanks for the reply. That really helped. I had an ACL for network and that blocked the https traffic coming through. It has been a journey settling it up. But without you guys help I think I was not able to do it. Thanks for all help. Much appreciated. Few settings that help with debugging and fixing it debug_options ALL,9 => full debug dns_v4_first on => http://www.squid-cache.org/Doc/config/dns_v4_first/ ssl::server_name_regex => http://www.squid-cache.org/Versions/v3/3.5/cfgman/acl.html -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
On 17/08/18 20:39, pius wrote: > Hi Amos, > > > Thanks for the reply. It makes more things clear. > > I do apologize for a Friday message in advance. > > I will explain a bit more about my situation. We are using Jfrog artifactory > in our private network. Artifactory host lots of remote repos. We are > planning lock down the artifactory using squid. So in my case artifactory is > the client. > > artifactory --> Squid(whitelist) -> Internet > http (3129) / https (3130) > > I followed the steps from your message. I trust the self-signed squid > certificate in artifactory. Now I error I am getting is in artifactory is > > "Connection to remote repository failed: Host name 'repo.jenkins-ci.org' > does not match the certificate subject provided by the peer > (CN=130.211.20.35)" > > Looks like artifactory is requesting repo.jenkins-ci.org to squid without > enough information about domain name. May be that why squid created a ssl > certificate in behalf of artifactory with a IP address and instead of domain > name. So how can map the ip to a domain name ? DNS server ? > With the config I provided Squid should only send the custom cert to the client if there is a problem connecting to the upstream server of your http_access rules perform a "deny" action. Are you able to identify which of those is going on? your Squid access.log and/or cache.log should have some hints. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi Amos, Thanks for the reply. It makes more things clear. I do apologize for a Friday message in advance. I will explain a bit more about my situation. We are using Jfrog artifactory in our private network. Artifactory host lots of remote repos. We are planning lock down the artifactory using squid. So in my case artifactory is the client. artifactory --> Squid(whitelist) -> Internet http (3129) / https (3130) I followed the steps from your message. I trust the self-signed squid certificate in artifactory. Now I error I am getting is in artifactory is "Connection to remote repository failed: Host name 'repo.jenkins-ci.org' does not match the certificate subject provided by the peer (CN=130.211.20.35)" Looks like artifactory is requesting repo.jenkins-ci.org to squid without enough information about domain name. May be that why squid created a ssl certificate in behalf of artifactory with a IP address and instead of domain name. So how can map the ip to a domain name ? DNS server ? -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
On 16/08/18 23:17, Amos Jeffries wrote:> > The above config will only whitelist after the server cert is known and > should terminate TLS without any HTTP(S) error page being delivered to > clients - but can only do so if http_access does _not_ cause a "deny" > part way through the handshake (eg from on-whitelisted SNI names). Sorry that should read: "from non-whitelisted SNI names" Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
On 16/08/18 21:15, pius wrote: > Hi, > > We are planning to control the traffic that goes out from the network. Few > of them are HTTPS. we managed to whitelist HTTP traffic that going out the > network. And we are really happy about it. Now only worry we got is the > HTTPS traffic. > > I listen 2 port in squid. 3129(HTTP) and 3130 (HTTPS). > > When we communicate https traffic to the outside world, we prefer to use > 3130 so that we will have an end to end encryption. But at the same time, I > need to whitelist some domain name so that only those domain name can be > communicated safely. Is this is possible in squid? Yes, provided that: 1) only the domain name is wanted, and 2 a) the client sends TLS SNI, and 2 b) the server certificate confirms the TLS SNI In that one case, you can use SSL-Bump peek and splice to retain the encryption. acl whitelist ssl::server_name ... acl step1 at_step SslBump1 acl step2 at_step SslBump2 ssl_bump peek all ssl_bump splice whitelist ssl_bump terminate all NP: you will still have to configure Squid with a self-signed CA cert for the odd situations when Squid has to 'bump' to deliver errors to the client. Care also has to be taken to "allow" the CONNECT messages SSl-Bump processing uses. These may appear in http_access etc. with raw-IP:port only OR with non-whitelisted domains from TLS SNI. The above config will only whitelist after the server cert is known and should terminate TLS without any HTTP(S) error page being delivered to clients - but can only do so if http_access does _not_ cause a "deny" part way through the handshake (eg from on-whitelisted SNI names). BTW; Please also be aware that TLS is *not* "end-to-end". It is only point-to-point encryption. It is a mistake to think of it as fully end-to-end. There are very likely multiple HTTP(S) network hops at both client and server ends which are encrypted differently or unencrypted. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi, We are planning to control the traffic that goes out from the network. Few of them are HTTPS. we managed to whitelist HTTP traffic that going out the network. And we are really happy about it. Now only worry we got is the HTTPS traffic. I listen 2 port in squid. 3129(HTTP) and 3130 (HTTPS). When we communicate https traffic to the outside world, we prefer to use 3130 so that we will have an end to end encryption. But at the same time, I need to whitelist some domain name so that only those domain name can be communicated safely. Is this is possible in squid? -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi, It will be great if anybody can help. I can see that the client can talk to squid and squid communicating to google. But it responding with an error. ## Curl Log # ]# curl https://www.google.com -iv * About to connect() to www.google.com port 443 (#0) * Trying 216.58.204.68... * Connected to www.google.com (216.58.204.68) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG) * SSL received a record that exceeded the maximum permissible length. * Closing connection 0 curl: (35) SSL received a record that exceeded the maximum permissible length. # access.log # 1534179809.818 0 10.222.17.37 TCP_DENIED/403 3605 CONNECT 216.58.204.68:443 - HIER_NONE/- text/html 1534179809.900 0 10.222.17.37 TAG_NONE/400 0 NONE error:invalid-request - HIER_NONE/- text/html ### -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi, I made some improvement. I added "ssl_bump splice all" and now it passing through the step 1, but I can't whitelist the domain I want to connect through the squid now. I am getting a new error ## cache.log ### 2018/08/13 13:37:02 kid1| SECURITY ALERT: Host header forgery detected on local=10.222.17.106:3130 remote=10.222.25.60:59108 FD 14 flags=33 (intercepted port does not match 443) 2018/08/13 13:37:02 kid1| SECURITY ALERT: By user agent: curl/7.29.0 2018/08/13 13:37:02 kid1| SECURITY ALERT: on URL: www.google.com:443 2018/08/13 13:37:02 kid1| abandoning local=10.222.17.106:3130 remote=10.222.25.60:59108 FD 14 flags=33 # Can you please help. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi, Thanks for the reply. I haven't got access to log on weekend, sorry about the late reply. I google about this error. I got some answer like connect message is in plain text and squid is expecting a TCP communication and it gets rejected in lower level before getting to step 2. I am not sure that maybe my issue. Please check logs and let me know what I am doing wrong ### curl # * About to connect() to proxy 10.222.17.106 port 3130 (#0) * Trying 10.222.17.106... * Connected to 10.222.17.106 (10.222.17.106) port 3130 (#0) * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > * Recv failure: Connection reset by peer * Received HTTP code 0 from proxy after CONNECT * Connection #0 to host 10.222.17.106 left intact curl: (56) Recv failure: Connection reset by peer ## access.log 1534148669.183 0 10.222.25.60 TCP_DENIED/200 0 CONNECT 10.222.17.106:3130 - HIER_NONE/- - -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
W dniu pt., 10.08.2018 o 20:28 Alex Rousskov < rouss...@measurement-factory.com> napisał(a): > On 08/10/2018 12:05 PM, pius wrote: > > I am getting IP address of the client instead of the domain name I > requested. > > I suspect you are getting your Squid https_port address > (10.222.17.106:3130) rather than the client IP address (10.222.25.60). > Logging Squid IP instead of the intended server IP feels wrong to me, > but that is not why things do not otherwise "work" in your test. > > Your test request is probably not getting through because your > http_access rules (or equivalent) deny the (fake) CONNECT request to > 216.58.212.100 (or whatever one of the www.google.com server IPs is in > your environment). Check your access control rules while keeping in mind > that the initial (i.e. step1) fake CONNECT request on an intercepting > https_port has nothing but TCP/IP-level information. > > > HTH, > > Alex. > > > > I am trying curl -iv https://www.google.com from a client machine > > (10.222.17.106). I am not getting google.com in the access log and > getting > > TCP_DENIED. Looks like traffic is blocked before checking the > certificate( I > > am not sure ). And HTTP works fine (curl -iv http://www.google.com). I > have > > included LOG for from both requests. Please help. > > > > ## > > HTTPS REQUEST > > 1533917193.498 0 10.222.25.60 TCP_DENIED/200 0 CONNECT > > 10.222.17.106:3130 - HIER_NONE/- - > > ## > > HTTP REQUEST > > 1533917208.934 35 10.222.25.60 TCP_MISS/200 11561 GET > > http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html > > ## > > > > > > > > > > > > > Here is my squid.conf > > ### > > http_port 3128 > > > > http_port 0.0.0.0:3129 ssl-bump \ > > cert=/etc/squid/ssl_cert/cert.pem \ > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > https_port 0.0.0.0:3130 ssl-bump intercept \ > > cert=/etc/squid/ssl_cert/cert.pem \ > > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > acl step1 at_step SslBump1 > > acl step2 at_step SslBump2 > > acl ssl_exclude_domains ssl::server_name > "/etc/squid/exclude_domains.conf" > > > > ssl_bump splice localhost > > ssl_bump peek step1 all > > ssl_bump splice ssl_exclude_domains > > ssl_bump stare step2 all > > ssl_bump bump all > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
On 08/10/2018 01:04 PM, pius wrote: > I had an ACL whitelist for IPs. I tried the test again removing that. Sounds more like a blacklist than whitelist if removing the rule _allows_ the request. > Now I get an error TAG_NONE/200 0 CONNECT. That is a good sign. The fake CONNECT request was not denied. Please post all the access.log lines as you did before to show the whole picture. And what does curl say? > Still, I am not getting server IP or domain name and > got squid IP instead. (10.222.17.106:3130). Ignore that detail for now. > Does that mean, the request is still blocked in step 1 Or is that Google > won't accept fake CONNECT request? Neither, and Google does not receive CONNECT requests (fake or real) -- they are handled internally by Squid. Please see the following wiki page for what is really going on at various steps: https://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
Hi, Thanks for the reply. I had an ACL whitelist for IPs. I tried the test again removing that. Now I get an error TAG_NONE/200 0 CONNECT. Still, I am not getting server IP or domain name and got squid IP instead. (10.222.17.106:3130). Does that mean, the request is still blocked in step 1 Or is that Google won't accept fake CONNECT request? I saw documentation to use DNS server on the same server of squid -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Have issue with "https_port ssl-bump intercept"
On 08/10/2018 12:05 PM, pius wrote: > I am getting IP address of the client instead of the domain name I requested. I suspect you are getting your Squid https_port address (10.222.17.106:3130) rather than the client IP address (10.222.25.60). Logging Squid IP instead of the intended server IP feels wrong to me, but that is not why things do not otherwise "work" in your test. Your test request is probably not getting through because your http_access rules (or equivalent) deny the (fake) CONNECT request to 216.58.212.100 (or whatever one of the www.google.com server IPs is in your environment). Check your access control rules while keeping in mind that the initial (i.e. step1) fake CONNECT request on an intercepting https_port has nothing but TCP/IP-level information. HTH, Alex. > I am trying curl -iv https://www.google.com from a client machine > (10.222.17.106). I am not getting google.com in the access log and getting > TCP_DENIED. Looks like traffic is blocked before checking the certificate( I > am not sure ). And HTTP works fine (curl -iv http://www.google.com). I have > included LOG for from both requests. Please help. > > ## > HTTPS REQUEST > 1533917193.498 0 10.222.25.60 TCP_DENIED/200 0 CONNECT > 10.222.17.106:3130 - HIER_NONE/- - > ## > HTTP REQUEST > 1533917208.934 35 10.222.25.60 TCP_MISS/200 11561 GET > http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html > ## > > > > > > Here is my squid.conf > ### > http_port 3128 > > http_port 0.0.0.0:3129 ssl-bump \ > cert=/etc/squid/ssl_cert/cert.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > https_port 0.0.0.0:3130 ssl-bump intercept \ > cert=/etc/squid/ssl_cert/cert.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl ssl_exclude_domains ssl::server_name "/etc/squid/exclude_domains.conf" > > ssl_bump splice localhost > ssl_bump peek step1 all > ssl_bump splice ssl_exclude_domains > ssl_bump stare step2 all > ssl_bump bump all > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users