Re: [squid-users] Does Squid support client ssl termination?

2022-10-26 Thread Grant Taylor 

On 10/26/22 10:43 AM, mingheng wang wrote:

Hello all,


Hi,

   Since ssl_bump can generate self signed certificates on the fly, I 
wonder if this setup is possible, or even just in theory:
clients with necessary root CA installed connect to a local Squid. With 
ssl_bump and self signed certs,


I'm with you so far.  I've got such a Monkey in the Middle here at the 
house.



it always talks with the clients over HTTPS,


Please clarify / confirm if you're talking about HTTPS protection of the 
client to squid connection.  --  I ask because not all clients natively 
/ easily support HTTPS connection to Squid.


N.B. the connection between the client and Squid is completely 
independent of the connection between Squid and the next upstream server.



making clients believe their connections are secure;


This is the biggest hang up for me.  --  I don't think that the HTTPS 
communications with Squid in and of itself will cause clients to think 
that an insecure site is actually secure.


My client doesn't show that it has a secure connection to neverssl.com 
which doesn't support HTTPS (by design) despite communicating with Squid 
via HTTPS.


the local Squid then forwards the connections to a parent Squid server, 
which however, will only send data back in plain HTTP, i.e. in clear 
text, akin to a reverse proxy with ssl termination to its proxied site.


Okay.  I'm not sure why you would not have encryption on the downstream 
child Squid to the upstream parent Squid, but that's your choice.


   my goals are to cache data/modify requests even when connecting to 
https only sites,


Squid's TLS Monkey in the Middle should cache things without any 
problem.  So I don't see the need to do anything extra for this.


while avoiding using self signed certs to encrypt connections over the 
Internet,


I have no idea where the downstream child Squid is that's doing TLS 
MitM.  Nor do I have any idea where the upstream parent Squid is.  So I 
can't really comment about locality / Internet.


because this way, I can chain an https proxy with trusted certs 
in between.


"Trusted certs" is sort of ambiguous in this case as your TLS MitM 
/clients/ *trust* the root cert that the downstream child Squid is using.


I see no reason why you can't use similar methodology to protect the 
communications between the downstream child Squid to the upstream parent 
Squid.  --  Independent of who the cert used by the upstream parent 
Squid is from.


If the downstream child Squid has the root CA that signed the upstream 
parent Squid's TLS certificate in the downstream child Squid root CA 
store, then the connection between the two Squids is trusted.  Even if 
there are no public CAs involved.  }:-)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Does Squid support client ssl termination?

2022-10-26 Thread mingheng wang 
Hello all,
  Since ssl_bump can generate self signed certificates on the fly, I wonder
if this setup is possible, or even just in theory:
clients with necessary root CA installed connect to a local Squid. With
ssl_bump and self signed certs, it always talks with the clients over
HTTPS, making clients believe their connections are secure; the local Squid
then forwards the connections to a parent Squid server, which however, will
only send data back in plain HTTP, i.e. in clear text, akin to a reverse
proxy with ssl termination to its proxied site.

  my goals are to cache data/modify requests even when connecting to https
only sites, while avoiding using self signed certs to encrypt connections
over the Internet, because this way, I can chain an https proxy with
trusted certs in between.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL based DNS server list

2022-10-26 Thread Alex Rousskov 

On 10/25/22 21:27, Sneaker Space LTD wrote:

Is there a way to use specific DNS servers based on the user or 
connecting IP address that is making the connection by using acls or any 
other method? If so, can someone send an example.


One can write an external ACL helper that will use whatever DNS servers 
it wants. The helper can receive the user name or client-Squid 
connection IP address(es) as transaction input. The helper can make 
match/mismatch decisions and can annotate the transaction as needed.


There is currently no way to configure Squid to select DNS resolvers 
based on transaction properties.



HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Empty transfer-encoding header causes 502 response

2022-10-26 Thread Alex Rousskov 

On 10/25/22 20:55, Matthew H wrote:


I have included the requested output from tcpdump below:


Thank you! This raw output is sufficient to determine that no transfer 
encoding was used by this buggy origin server. I have updated the GitHub 
comment/summary accordingly.


N.B. In the future, please consider sharing libpcap packet captures 
instead of raw tcpdump console output. It is not necessary to re-share 
anything now.


FWIW, I am not aware of any official Squid workarounds for this origin 
server bug. Some of the features Factory is currently working on will be 
useful here, but they are not yet ready for the official submission. One 
can remove the corresponding check from Squid source code, of course, 
but doing so will open modified Squid (and other HTTP agents) to serious 
security vulnerabilities, so I cannot recommend such a blunt workaround.


Alex.


  tcpdump -A -s 0 -ni enp4s0 "host 159.203.14.9 and (((ip[2:2] - 
((ip[0]&0xf)<<2)) - ((tcp[12]&

0xf0)>>2)) != 0)"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), snapshot length 262144 
bytes


01:40:17.310479 IP 10.0.160.10.43426 > 159.203.14.9.1996: Flags [P.], 
seq 2955630477:2955630939, ack 2382737005, win 502, options [nop,nop,TS 
val 3000375654 ecr 1932743995], length 462

E:@.?.7.
..
...     .+WmY..
...fs3U;GET http://nintendo.com/  HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) 
Gecko/20100101 Firefox/106.0
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Host: nintendo.com 
Via: 1.1 dce3749b9671 (squid/5.6)
X-Forwarded-For: 10.0.130.210
Cache-Control: max-age=259200
Connection: keep-alive


01:40:18.957475 IP 159.203.14.9.1996 > 10.0.160.10.43426: Flags [P.], 
seq 1:1466, ack 462, win 114, options [nop,nop,TS val 1932744407 ecr 
3000375654], length 1465

E@@.3..
..
...m.+Y[...r]..
s3VfHTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=iso-8859-1
transfer-encoding:
date: Wed, 26 Oct 2022 00:40:20 GMT
connection: close



http://nintendo.com//./hallway/index.html 
">

Nintendo Power Source



On Tue, Oct 25, 2022 at 2:08 PM Alex Rousskov 
> wrote:


On 10/23/22 20:36, Matthew H wrote:
 > Hi,
 >
 > I'm using Squid to proxy HTTP requests to another proxy. I can
see squid
 > sending the request to the parent and getting a response, but it
sends
 > the client that initiated the request a 502 Bad Gateway response.
 >
 > On closer inspection it appears the parent proxy is sending an
 > empty transfer-encoding header, and this is causing Squid to send
a 502.

Do you know whether the response body was using chunked (or any other
non-identity) encoding? I have already added your case to the list of
known rejected responses[1], but it would be good to update that with
the information on the actual response encoding.

[1]
https://github.com/squid-cache/squid/pull/702#issuecomment-762459132


If the very first bytes of the response are " 2022/10/24 00:23:59.106| ctx: enter level  0:
'http://nintendo.com/ 
 > >'
 > 2022/10/24 00:23:59.106| 11,3| http.cc(666) processReplyHeader:
 > processReplyHeader: key '19010C00'
 > 2022/10/24 00:23:59.106| 11,2| http.cc(720) processReplyHeader: HTTP
 > Server conn294 local=172.25.0.3:57802 
 > > remote=159.203.14.9:1996

 > > FIRSTUP_PARENT FD 26 flags=1
 > 2022/10/24 00:23:59.106| 11,2| http.cc(721) processReplyHeader: HTTP
 > Server RESPONSE:
 > -
 > HTTP/1.1 200 OK
 > x-powered-by: Express
 > content-type: text/html; charset=iso-8859-1
 > transfer-encoding:
 > date: Mon, 24 Oct 2022 00:23:57 GMT
 > connection: close
 >
 > --
 > 2022/10/24 00:23:59.106| 55,3| HttpHeader.cc(882) getList: empty
list
 > header: Transfer-Encoding(Transfer-Encoding[63])
 > 2022/10/24 00:23:59.106| 55,2| HttpHeader.cc(559) parse: WARNING:
 > unsupported Transfer-Encoding used by client:
 > 2022/10/24 00:23:59.106| ctx: exit level  0
 > 2022/10/24 00:23:59.106| 20,3| store.cc(1673) reset:
 > http://nintendo.com/  >
 > 2022/10/24 00:23:59.107| 17,3| FwdState.cc(492) fail:
ERR_INVALID_RESP
 > "Bad Gateway"

Re: [squid-users] ACL based DNS server list

2022-10-26 Thread Odhiambo Washington 
On Wed, Oct 26, 2022 at 4:27 AM Sneaker Space LTD 
wrote:

> Hello,
>
> Is there a way to use specific DNS servers based on the user or connecting
> IP address that is making the connection by using acls or any other method?
> If so, can someone send an example.
>

If you are using BIND, you can always use the "VIEWS" feature, but I think
this has to be done outside Squid.
However, nothing is impossible in this world except for changing the value
of Pi from 3.14-something  :)

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users