[squid-users] How to intercept ssl_bump transparent NAT https websites

Andi Sun, 28 May 2017 12:53:35 -0700

I installed Squid 3.5.25 at debian with libecap3 too.

Now my old squid.conf file for v3.48 not work anymore for redirected https websites.
I get SSL_ERROR_RX_RECORD_TOO_LONG in Firefox.
I redirected them before by Shorewall and it worked with v3.48
#SQUID-PORTS
REDIRECT    loc    3140    tcp    https    -    !192.168.1.254
REDIRECT    loc    3139    tcp    www    -    !192.168.1.254

If I change https_port to http_port and remove the intercept option for ssl_bump it works with expicit configured clients for that port even for gmail website too.
What I need to change to make squid 3.5 work transparently ?

squid -v
Squid Cache: Version 3.5.25
Service Name: squid
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--disable-ipv6' '--with-default-user=proxy' '--with-logdir=/var/log/squid35' '--with-pidfile=/var/run/squid35.pid' '--with-openssl' '--enable-ssl-crtd' '--infodir=/share/info' '--includedir=/include' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-filedescriptors=65536' '--with-large-files' '--enable-linux-netfilter' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'

cat /etc/squid/squid.conf:
debug_options ALL,6
#0 26,2 83,2 33,2 17,2 44,2
logformat datetime %tl %6tr CLIENT:%>a = = %Ss %<Hs %rm=%>ru --%[un %Sh/%<a %mt
access_log /var/log/squid35/access.log datetime
forwarded_for on
error_directory /usr/share/squid/errors/de-de/
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_reply_access allow all
http_access deny all
icp_access allow localnet
icp_access deny all
### NEW for v3.5x SSL-Bump ###
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice localhost
#acl exclude_sites ssl::server_name_regex -i "/var/lib/squidguard/db/BL/whitelist-ssl/whitelist.destdomainlist"
ssl_bump peek step1 all
#ssl_bump splice exclude_sites
ssl_bump stare step2 all
ssl_bump bump all
#############################
http_port 0.0.0.0:3138
http_port 0.0.0.0:3139 intercept
sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
https_port 0.0.0.0:3140 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/myca.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_capath /etc/ssl/certs
##sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 16MB
sslcrtd_children 10
cache_dir ufs /etc/squid/ssl_db 100 16 256
cache_mgr admin@mainrouter
visible_hostname xxx
httpd_suppress_version_string on
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern                0       20%     4320
cache_effective_user proxy
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
cache_effective_group proxy
dns_nameservers 8.8.8.8
########## END of squid.conf#######################

If I run "squid -NYCd1" with root I get :

root@Router:/# squid -NYCd1
2017/05/28 16:07:54| WARNING: BCP 177 violation. IPv6 transport forced OFF by build parameters.
2017/05/28 16:07:54.922| Set Current Directory to /var/spool/squid
2017/05/28 16:07:54.922| Starting Squid Cache version 3.5.25 for x86_64-pc-linux-gnu...
2017/05/28 16:07:54.922| Service Name: squid
2017/05/28 16:07:54.922| Process ID 25773
2017/05/28 16:07:54.922| Process Roles: master worker
2017/05/28 16:07:54.922| With 65536 file descriptors available
2017/05/28 16:07:54.922| Initializing IP Cache...
2017/05/28 16:07:54.924| DNS Socket created at 0.0.0.0, FD 9
2017/05/28 16:07:54.924| Adding nameserver 8.8.8.8 from squid.conf
2017/05/28 16:07:54.924| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2017/05/28 16:07:54.949| helperOpenServers: Starting 0/20 'squidGuard' processes
2017/05/28 16:07:54.949| helperOpenServers: No 'squidGuard' processes needed.
2017/05/28 16:07:55.007| Logfile: opening log /var/log/squid35/access.log
2017/05/28 16:07:55.007| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid35/access.log'
2017/05/28 16:07:55.270| Unlinkd pipe opened on FD 25
2017/05/28 16:07:55.274| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/28 16:07:55.275| Store logging disabled
2017/05/28 16:07:55.275| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2017/05/28 16:07:55.275| Target number of buckets: 1402
2017/05/28 16:07:55.275| Using 8192 Store buckets
2017/05/28 16:07:55.275| Max Mem size: 262144 KB
2017/05/28 16:07:55.275| Max Swap size: 102400 KB
2017/05/28 16:07:55.277| Rebuilding storage in /etc/squid/ssl_db (clean log)
2017/05/28 16:07:55.277| Using Least Load store dir selection
2017/05/28 16:07:55.277| Set Current Directory to /var/spool/squid
2017/05/28 16:07:55.691| Finished loading MIME types and icons.
2017/05/28 16:07:55.693| HTCP Disabled.
2017/05/28 16:07:55.696| Pinger socket opened on FD 32
2017/05/28 16:07:55.698| Squid plugin modules loaded: 0
2017/05/28 16:07:55.698| Adaptation support is on
2017/05/28 16:07:55.701| Accepting HTTP Socket connections at local=0.0.0.0:3138 remote=[::] FD 28 flags=9
2017/05/28 16:07:55.702| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3139 remote=[::] FD 29 flags=41
2017/05/28 16:07:55.702| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3140 remote=[::] FD 30 flags=41
2017/05/28 16:07:57.157| Store rebuilding is 84.50% complete
2017/05/28 16:07:57.432| Done reading /etc/squid/ssl_db swaplog (4733 entries)
2017/05/28 16:07:57.432| Finished rebuilding storage from disk.
2017/05/28 16:07:57.432|      4733 Entries scanned
2017/05/28 16:07:57.432|         0 Invalid entries.
2017/05/28 16:07:57.432|         0 With invalid flags.
2017/05/28 16:07:57.432|      4733 Objects loaded.
2017/05/28 16:07:57.432|         0 Objects expired.
2017/05/28 16:07:57.432|         0 Objects cancelled.
2017/05/28 16:07:57.432|         0 Duplicate URLs purged.
2017/05/28 16:07:57.432|         0 Swapfile clashes avoided.
2017/05/28 16:07:57.432|   Took 2.16 seconds (2196.06 objects/sec).
2017/05/28 16:07:57.432| Beginning Validation Procedure
2017/05/28 16:07:57.801|   Completed Validation Procedure
2017/05/28 16:07:57.801|   Validated 4732 Entries
2017/05/28 16:07:57.801|   store_swap_size = 92108.00 KB
2017/05/28 16:07:59.557| storeLateRelease: released 0 objects
2017/05/28 16:07:59.706| Starting new redirector helpers...
2017/05/28 16:07:59.706| helperOpenServers: Starting 1/20 'squidGuard' processes
2017/05/28 16:07:59.739| Starting new redirector helpers...
2017/05/28 16:07:59.739| helperOpenServers: Starting 1/20 'squidGuard' processes
2017/05/28 16:07:59.756| abandoning local=104.86.49.182:443 remote=192.168.1.8:41991 FD 19 flags=33
.....
2017/05/28 16:08:11.844| abandoning local=104.86.40.45:443 remote=192.168.1.8:42080 FD 80 flags=33
^C << stopped manually here
2017/05/28 16:08:14| Preparing for shutdown after 50 requests
2017/05/28 16:08:14| Waiting 0 seconds for active connections to finish
2017/05/28 16:08:14| Closing HTTP port 0.0.0.0:3138
2017/05/28 16:08:14.101| Closing HTTP port 0.0.0.0:3139
2017/05/28 16:08:14.101| Closing HTTPS port 0.0.0.0:3140
2017/05/28 16:08:14.101| Closing Pinger socket on FD 32
2017/05/28 16:08:15.114| Shutdown: NTLM authentication.
2017/05/28 16:08:15.114| Shutdown: Negotiate authentication.
2017/05/28 16:08:15.114| Shutdown: Digest authentication.
2017/05/28 16:08:15.114| Shutdown: Basic authentication.
2017/05/28 16:08:15.115| Shutting down...
2017/05/28 16:08:15.597| Closing unlinkd pipe on FD 25
2017/05/28 16:08:15.597| storeDirWriteCleanLogs: Starting...
2017/05/28 16:08:15.600|   Finished. Wrote 4733 entries.
2017/05/28 16:08:15.600|   Took 0.00 seconds (1619226.82 entries/sec).
2017/05/28 16:08:15.600| Logfile: closing log stdio:/var/log/squid35/access.log
2017/05/28 16:08:15.600| Open FD UNSTARTED     0 stdin
2017/05/28 16:08:15.600| Open FD UNSTARTED     1 stdout
2017/05/28 16:08:15.600| Open FD UNSTARTED     2 stderr
2017/05/28 16:08:15.600| Open FD READ/WRITE    9 DNS Socket IPv4
2017/05/28 16:08:15.600| Open FD UNSTARTED    10 ssl_crtd #1
2017/05/28 16:08:15.600| Open FD UNSTARTED    12 ssl_crtd #2
2017/05/28 16:08:15.600| Open FD UNSTARTED    14 ssl_crtd #3
2017/05/28 16:08:15.600| Open FD READ/WRITE   15 127.0.0.1
2017/05/28 16:08:15.600| Open FD UNSTARTED    16 ssl_crtd #4
2017/05/28 16:08:15.600| Open FD UNSTARTED    18 ssl_crtd #5
2017/05/28 16:08:15.600| Open FD READ/WRITE   24 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE   26 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE   27 127.0.0.1
2017/05/28 16:08:15.600| Open FD READ/WRITE   31 squidGuard #1
2017/05/28 16:08:15.600| Open FD READ/WRITE   33 squidGuard #1
2017/05/28 16:08:15.600| Open FD READ/WRITE   53 127.0.0.1
2017/05/28 16:08:15.608| Squid Cache (Version 3.5.25): Exiting normally.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to intercept ssl_bump transparent NAT https websites

Reply via email to