Re: [squid-users] Squid Explicit Proxying
First, thank you very much for your help, you re awesome ! I can in fact browse HTTP pages, but not HTTPS. Can i ask you a bit more help :) ? I applied some changes : Regarding the certificate, i read the man page http://man.openbsd.org/ssl cd /etc/squid openssl genrsa -out squid.key 4096 openssl req -new -key squid.key -out squid.csr openssl x509 -sha256 -req -days 365 -in squid.csr -signkey squid.key -out squid.crt cat squid.crt squid.key > squid.pem chown _squid:_squid *.pem chmod 700 *.pem openssl x509 -in squid.pem -outform DER -out browser.der Now when i try : curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem -l https://www.google.com I get : curl: (60) SSL certificate problem: unable to get local issuer certificate... On the Windows 10 laptop, i configured the proxy using inetcpl.cpl see attached screenshot (IE options). I also added the browser.der to root certification in the snap certmgr.msc (see attached screenshot). On Firefox, I get SEC_ERROR_UNKNOWN_ISSUER when trying to browse https website. On Chrome, I get ERR_CONNECTION_CLOSED when trying to browse https website. HTTP website is OK. I enabled the debug in squid.conf like you suggested me :) Here the squid -k parse : --8<-- obsd-proxy# squid -k parse 2020/08/26 10:35:44| Startup: Initializing Authentication Schemes ... 2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'basic' 2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'digest' 2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'negotiate' 2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'ntlm' 2020/08/26 10:35:44| Startup: Initialized Authentication. 2020/08/26 10:35:44| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2020/08/26 10:35:44| Processing: debug_options ALL,5 2020/08/26 10:35:44| Processing: acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) 2020/08/26 10:35:44| Processing: acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) 2020/08/26 10:35:44| Processing: acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) 2020/08/26 10:35:44| Processing: acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines 2020/08/26 10:35:44| Processing: acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) 2020/08/26 10:35:44| Processing: acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) 2020/08/26 10:35:44| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range 2020/08/26 10:35:44| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 2020/08/26 10:35:44| Processing: acl SSL_ports port 443 2020/08/26 10:35:44| Processing: acl Safe_ports port 80 # http 2020/08/26 10:35:44| Processing: acl Safe_ports port 21 # ftp 2020/08/26 10:35:44| Processing: acl Safe_ports port 443 # https 2020/08/26 10:35:44| Processing: acl Safe_ports port 70 # gopher 2020/08/26 10:35:44| Processing: acl Safe_ports port 210 # wais 2020/08/26 10:35:44| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2020/08/26 10:35:44| Processing: acl Safe_ports port 280 # http-mgmt 2020/08/26 10:35:44| Processing: acl Safe_ports port 488 # gss-http 2020/08/26 10:35:44| Processing: acl Safe_ports port 591 # filemaker 2020/08/26 10:35:44| Processing: acl Safe_ports port 777 # multiling http 2020/08/26 10:35:44| Processing: acl CONNECT method CONNECT 2020/08/26 10:35:44| Processing: http_access deny !Safe_ports 2020/08/26 10:35:44| Processing: http_access deny CONNECT !SSL_ports 2020/08/26 10:35:44| Processing: http_access allow localhost manager 2020/08/26 10:35:44| Processing: http_access deny manager 2020/08/26 10:35:44| Processing: acl bad_urls urlpath_regex -i "/etc/squid/bad_urls" 2020/08/26 10:35:44| Processing: acl bad_domains dstdomain "/etc/squid/bad_domains" 2020/08/26 10:35:44| Processing: http_access deny bad_urls 2020/08/26 10:35:44| Processing: http_access deny bad_domains 2020/08/26 10:35:44| Processing: http_access allow localnet 2020/08/26 10:35:44| Processing: http_access allow localhost 2020/08/26 10:35:44| Processing: http_access deny all 2020/08/26 10:35:44| Processing: http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid.pem 2020/08/26 10:35:44| Processing: acl step1 at_step SslBump1 2020/08/26 10:35:44| Processing: ssl_bump peek step1 2020/08/26 10:35:44| Processing: acl step2 at_step SslBump2 2020/08/26 10:35:44| Processing: ssl_bump stare step2 2020/08/26 10:35:44| Processing: ssl_bump bump all 2020/08/26 10:35:44| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_db -M 4MB 2020/08/26 10:35:44| Processing: sslcrtd_children 5 2020/08/26
Re: [squid-users] Squid Explicit Proxying
On 25/08/20 10:35 pm, Eric F. wrote: > Hi, > > I use OpenBSD 6.7 with Squid 4.12. > I want to filter http and https website, so i'm trying to use SSL bumping. > But unfortunately, my configuration doesn't work. I explain what i did: > > The host is named : proxy.lab.local > > I generated the certificate like that: > > cd /etc/squid > openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout > squid.pem -out squid.pem This creates keys. The public cert still needs to be signed. Though curl below indicates a self-signed cert is present in the chain it gets from Squid. That is a bit odd. > openssl x509 -in /etc/squid/squid.pem -outform DER -out > /etc/squid/browser.der This should be done after signing. Whether you do self-signed or not export the DER from the same file you put in the --CA parameter for the signing process. > chown _squid:_squid *.pem > > run squid with squid -z && rcctl start squid > > no errors. > > I installed the browser.der on my Windows 10 laptop (added the proxy), > therefore i can't access any webpage. Er. You should still be able to access web pages. The traffic should just be going via Squid if you "added the proxy" right. > > I tried on the squid server the following tests (curl) > > proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com > curl: (60) SSL certificate problem: self signed certificate in > certificate chain > More details here: https://curl.haxx.se/docs/sslcerts.html curl on the proxy machine does not know about browser.der on the Windows machines. This is expected result. > > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. > > proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem > -l https://www.google.com > curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert > handshake failure > The -l indicates an email or FTP server being connected to. Otherwise this command looks correct. I start by looking up the OpenSSL error message. Unfortunately that one produces no search results for me. You might have better luck. In absence of any useful info about what the error means next thing is to get the verbose output from curl to see what is going on. And check the Squid cache.log with "debug_options ALL,5" to see what Squid is doing at its end. If that does not provide more useful clues then TCP level packet trace in wireshark as a last resort. > Can you help me to troubleshoot this issue ? > > Thank you very much. > > Below my configuration : > > > proxy# squid -v > Squid Cache: Version 4.12 > Service Name: squid > > This binary uses LibreSSL 3.1.1. For legal restrictions on distribution > see https://www.openssl.org/source/license.html > FYI, LibreSSL is not formally supported due to the number of behavioural differences it now has with OpenSSL. SSL-Bump is a mix of custom Squid code and relatively low-level calls into OpenSSL. While LibreSSL usually builds, we cannot guarantee those low-level calls do what SSL-Bump expects. ... > > acl bad_urls urlpath_regex -i "/etc/squid/bad_urls" > acl bad_domains dstdomain "/etc/squid/bad_domains" > > http_access deny bad_urls > http_access deny bad_domains > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > Nit: that line means all the bad_* checks should be down here. > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > http_port 3128 ssl-bump \ > cert=/etc/squid/squid.pem \ Nit: the option is now named tls-cert= > generate-host-certificates=on dynamic_cert_mem_cache_size=8MB > > sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s > /var/squid/ssl_db -M 8MB > > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all This makes SSL-Bump generate the certificates without any details from the actual server. You can expect a lot of issues with TLS features that need end-to-end negotiation (eg TLS/1.3 connections). To work around that: acl step1 at_step SslBump1 ssl_bump peek step1 acl step2 at_step SslBump2 ssl_bump stare step2 ssl_bump bump all > sslcrtd_children 5 > sslproxy_cert_sign signTrusted > HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid Explicit Proxying
Hi, I use OpenBSD 6.7 with Squid 4.12. I want to filter http and https website, so i'm trying to use SSL bumping. But unfortunately, my configuration doesn't work. I explain what i did: The host is named : proxy.lab.local I generated the certificate like that: cd /etc/squid openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem openssl x509 -in /etc/squid/squid.pem -outform DER -out /etc/squid/browser.der chown _squid:_squid *.pem run squid with squid -z && rcctl start squid no errors. I installed the browser.der on my Windows 10 laptop (added the proxy), therefore i can't access any webpage. I tried on the squid server the following tests (curl) proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem -l https://www.google.com curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure Can you help me to troubleshoot this issue ? Thank you very much. Below my configuration : proxy# squid -v Squid Cache: Version 4.12 Service Name: squid This binary uses LibreSSL 3.1.1. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--disable-strict-error-checking' '--disable-arch-native' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-delay-pools' '--enable-digest' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--enable-external-acl-helpers=SQL_session file_userip time_quota unix_group wbinfo_group LDAP_group eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe' proxy# cat /etc/squid/squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager acl bad_urls urlpath_regex -i "/etc/squid/bad_urls" acl bad_domains dstdomain "/etc/squid/bad_domains" http_access deny bad_urls http_access deny bad_domains # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all #
