from:"Jason Chiu"

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-11 Thread Jason Chiu

I reconfigured  add " --with-nat-devpf " (squid-3.5.24 on FreeBSD 9.1)

This issue *has been resolved*
thanks to Amos Jeffries

The follow is my squid version and configure.

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/squid' '--datadir=/usr/share/squid'
'--enable-icap-client' '--enable-ssl' '--with-pthreads'
'--enable-pf-transparent' '--with-nat-devpf' '--enable-ssl-crtd'
'--enable-ecap' '--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
--enable-ltdl-convenience






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682748.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-08 Thread Jason Chiu

test case 1 : 
-
I changed my squid setting (don't use intercept mode)

http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

thab client Web Browser set proxy to 192.168.95.81:3129

squid ssl-bump * OK *
squid access.log has the client access log.

test case 2:
-
but I want use transparent mode (intercept with PF rdr).
intercept mode add the following acl rule :

acl bumpedPorts myportname 3129
http_access allow CONNECT bumpedPorts
.
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 

access.log no appear TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 
but client web browser has been waiting and no response.





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682735.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-08 Thread Jason Chiu

I also tested the following cases 
test case 1: 

add the following settings in squid.conf 

acl bumpedPorts myportname 3129 
http_access allow CONNECT bumpedPorts 

test results:  ssl bump is failed 
1. access.log no record 
2. web browser has been waiting , no response 

-- 

test case 2: 
1. squid.conf  use  http_port 3129 ssl-bump
cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB 
2. web browser use proxy server x.x.x.x 3129 

test result :  ssl bump is OK



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682734.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-07 Thread Jason Chiu

I also tested the following cases 
test case 1: 

add the following settings in squid.conf 

acl bumpedPorts myportname 3129 
http_access allow CONNECT bumpedPorts 

test results:  ssl bump is failed
1. access.log no record 
2. web browser has been waiting , no response 

-- 

test case 2: 
1. squid.conf  use  http_port 3129 ssl-bump
cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB 
2. web browser use proxy server x.x.x.x 3129 

test result :  ssl bump is OK 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682713.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

2017-06-07 Thread Jason Chiu

I had a FreeBSD 9.1 bridge (em0, em1) environment,
Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1:
3129)

Squid *3.3.11* ssl bump is OK.


The following is the setting of squid 3.3.11

Squid Cache: Version 3.3.11-20140220-r12672
Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc
/ squid' '--localstatedir = / var / squid' '--datadir = / usr / share /
squid' Enable-icap-client '' --enable-ssl '' --with-pthreads ''
--enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap ''
PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience


Recently in order to allow squid can signing generated sha256 certificates 
, 
upgrade squid to 3.5.24 version.


But ssl bump * is not OK *

Access.log always appears the following message:
1495699856.074  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495699857.720  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.054  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701676.717  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.060  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -
1495701677.354  0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
- HIER_NONE/- -

*Need to adjust which part of the settings?*



The following is my settings: 

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid'
'--localstatedir=/var/squid' '--datadir=/usr/share/squid'
'--enable-icap-client' '--enable-ssl' '--with-pthreads'
'--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap'
'--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
--enable-ltdl-convenience


squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

#http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all

# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
10MB
sslcrtd_children 5

# sslproxy setting
sslproxy_capath /var/squid/ssl_db/certs
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
#sslproxy_cipher

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

5 matches

Site Navigation

Mail list logo

Footer information