Re: [squid-users] [SOLVED] Transparent HTTPS Squid proxy with upstream parent
On 24/11/15 18:26, Amos Jeffries wrote: That is two separate and entirely different traffic types: A) [client] -> HTTP--(NAT)--> [my_proxy] B) [client] -> TLS--(NAT)--> [my_proxy] (A) requires "http_port ... intercept ssl-bump cert=/path/to/cert" (B) requires "https_port ... intercept ssl-bump cert=/path/to/cert" above is the minimum configuration. The generate-* etc settings you mention below are useful as well. In order to impersonate the server you also need to fetch the server details (peek or stare at step2), then bump at step3. Yay, that seems to work! Here is the working config for [my_proxy]: http_port 3128 http_port 8080 intercept https_port 8443 intercept ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB cert=/etc/squid/my-proxy.pem sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 #ssl_bump peek step1# <- enabling this breaks it ssl_bump stare step2 ssl_bump bump step3 cache_peer parent.example.com parent 3129 0 no-query ssl never_direct allow all And two iptables rules: iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 Now the clients can either go explicitly to proxy on port 3128 or those who don't support setting proxy have [my_proxy] as their default gateway and the transparent proxy setup kicks in. Thanks a lot Amos for your help! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi Amos On 09/11/15 12:55, Amos Jeffries wrote: On 9/11/2015 11:55 a.m., Michael Ludvig wrote: [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> [target] Can you provide some config hints for both proxies please? The SSL-related bits only as that's the unclear part. my_proxy: cache_peer example.com 3129 0 ssl upstream_proxy: https_port 3129 cert=/path/to/cert This works well when the [client] has $https_proxy set to point to [my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely. However with transparent proxy / sslbump on [my_proxy] I keep getting: Failed to establish a secure connection to 10.205.28.183 (=this is [upstream_proxy]) The system returned: [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /C=NZ/O=Example CA/CN=parent.example.com On [my_proxy] I've got: https_port 8443 intercept ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all cache_peer parent.example.com parent 3129 0 no-query ssl \ sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER sslproxy_flags DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER On the [upstream_proxy] I've got: https_port 3129 cert=/etc/squid/parent.example.com.pem visible_hostname parent.example.com I've got the certificates issued to parent.example.com and the record for parent.example.com in /etc/hosts on [my_proxy] What am I doing wrong / how to make it work for transparent ssl proxying? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi again Does anyone have any idea how to fix the below described problem? Please :) Thanks! Michael On 05/11/15 16:01, Michael Ludvig wrote: Hi I've got a network without direct internet access where I have Squid 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 respectively). This Squid (proxy-test) doesn't have a direct Internet access either but can talk to a parent Squid (proxy-upstream) in other part of the network that does have Internet access. With HTTP it works well - client makes a request to http://www.example.com(port 80), router and iptables redirect the connection to Squid's port 8080, that intercepts the request and makes a request to the upstream proxy that serves it as usual. Here are the config options used: http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query never_direct allow all Now I wanted to do a similar thing for HTTPS: https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump bump all Without cache_peerit works as expected (when I enable temporary internet access), i.e. auto-generates a fake SSL cert and makes a direct connection to the target. However with cache_peerit doesn't work. I get HTTP/503 error from the proxy: 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 - HIER_NONE/- - 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html Alternatively if I change the ssl_bumpsetup to this: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" When I use this proxy in non-transparent mode, i.e. configuring the proxy on client to proxy-test:3128, it works: 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream - So I need to somehow turn the HTTPSrequest that lands on proxy-testinto CONNECTrequest that's forwarded to proxy-upstream. If Squid can't do that is there any other transparent-to-nontransparent proxy software that can do that? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi I've got a network without direct internet access where I have Squid 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 respectively). This Squid (proxy-test) doesn't have a direct Internet access either but can talk to a parent Squid (proxy-upstream) in other part of the network that does have Internet access. With HTTP it works well - client makes a request to http://www.example.com(port 80), router and iptables redirect the connection to Squid's port 8080, that intercepts the request and makes a request to the upstream proxy that serves it as usual. Here are the config options used: http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query never_direct allow all Now I wanted to do a similar thing for HTTPS: https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump bump all Without cache_peerit works as expected (when I enable temporary internet access), i.e. auto-generates a fake SSL cert and makes a direct connection to the target. However with cache_peerit doesn't work. I get HTTP/503 error from the proxy: 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 - HIER_NONE/- - 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html Alternatively if I change the ssl_bumpsetup to this: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" When I use this proxy in non-transparent mode, i.e. configuring the proxy on client to proxy-test:3128, it works: 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream - So I need to somehow turn the HTTPSrequest that lands on proxy-testinto CONNECTrequest that's forwarded to proxy-upstream. If Squid can't do that is there any other transparent-to-nontransparent proxy software that can do that? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users