Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
On 24/11/2015 5:49 p.m., Michael Ludvig wrote: > Hi Amos > > On 09/11/15 12:55, Amos Jeffries wrote: >> On 9/11/2015 11:55 a.m., Michael Ludvig wrote: >>> [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> >>> [target] >>> >>> Can you provide some config hints for both proxies please? The >>> SSL-related bits only as that's the unclear part. >> my_proxy: >> cache_peer example.com 3129 0 ssl >> >> upstream_proxy: >> https_port 3129 cert=/path/to/cert > > This works well when the [client] has $https_proxy set to point to > [my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely. > That is for what you documented: [client] -> HTTPS -> [my_proxy] > However with transparent proxy / sslbump on [my_proxy] I keep getting: > That is two separate and entirely different traffic types: A) [client] -> HTTP--(NAT)--> [my_proxy] B) [client] -> TLS--(NAT)--> [my_proxy] (A) requires "http_port ... intercept ssl-bump cert=/path/to/cert" (B) requires "https_port ... intercept ssl-bump cert=/path/to/cert" above is the minimum configuration. The generate-* etc settings you mention below are useful as well. > Failed to establish a secure connection to 10.205.28.183 (=this is > [upstream_proxy]) > The system returned: > [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) > Certificate does not match domainname: /C=NZ/O=Example > CA/CN=parent.example.com > > On [my_proxy] I've got: > https_port 8443 intercept ssl-bump generate-host-certificates=on \ > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all This is bumping with only the client details known. In order to impersonate the server you also need to fetch the server details (peek or stare at step2), then bump at step3. Aymeric also recently found a bug in the SNI details being sent to peers. The very latest 3.5 snapshot may be needed as well as the step2 config change. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi Amos On 09/11/15 12:55, Amos Jeffries wrote: On 9/11/2015 11:55 a.m., Michael Ludvig wrote: [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> [target] Can you provide some config hints for both proxies please? The SSL-related bits only as that's the unclear part. my_proxy: cache_peer example.com 3129 0 ssl upstream_proxy: https_port 3129 cert=/path/to/cert This works well when the [client] has $https_proxy set to point to [my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely. However with transparent proxy / sslbump on [my_proxy] I keep getting: Failed to establish a secure connection to 10.205.28.183 (=this is [upstream_proxy]) The system returned: [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /C=NZ/O=Example CA/CN=parent.example.com On [my_proxy] I've got: https_port 8443 intercept ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all cache_peer parent.example.com parent 3129 0 no-query ssl \ sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER sslproxy_flags DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER On the [upstream_proxy] I've got: https_port 3129 cert=/etc/squid/parent.example.com.pem visible_hostname parent.example.com I've got the certificates issued to parent.example.com and the record for parent.example.com in /etc/hosts on [my_proxy] What am I doing wrong / how to make it work for transparent ssl proxying? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
On 9/11/2015 11:55 a.m., Michael Ludvig wrote: > Hi Amos > > thanks for your reply. > > On 08/11/15 03:27, Amos Jeffries wrote: >> You are taking secured traffic. Removing the decryption. Then ... > > Yes. Then ... I expected it would make a CONNECT to the upstream proxy > that would in turn do HTTPS to the target. > > I'm happy with the certificate mismatch. > >>> I get a crash message in cache.log: >>> >>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: >>> "peer->use_ssl" >> Attempting to connect and send encryption to a non-encryted peer. >> >> Using a current version of Squid should fix that assertion and just not >> let the peer be used. Your Squid is a whole 2 months old. In the arms >> race that is SSL-Bump a few months is a long time. >> >> Squid still will not generate new CONNECT to non-encrypted peers though. >> So you will need to TLS enable the cache_peer link. > > If my proxy talks TLS with the upstream one - will that do the trick? I > can upgrade to the latest Squid if that should fix the problem. > > However I'm a bit confused with the protocols / certificates involved.. > > [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> > [target] > > What protocol is used between [my_proxy] and [upstream_proxy]? It's not > CONNECT, is it? Correct, it is not. > Is it TLS connection with something like "GET > https://example.com/ HTTP/1.." passing through? > Yes. > Does that also mean the upstream one will have to ssl_bump the > connection again and re-encrypt with yet another certificate to be able > to read the target URL? No and yes. No - the upstream proxy is an explicit-/forward- proxy, just receiving messages over TLS. Yes - the outbound connection from the peer to the server will use different TLS connection, thus different certificates. This type of multiple-hop proxying is one where server-first style of bumping and certificate minmicing is difficult at best and not possible in current Squid versions. So whoever is managing the upstream proxy needs to make sure that it only connects to servers that are properly secured and verified. > And also - can I pass non-SSL traffic between my > proxy and the upstream as well? You can. Either over the same TLS link between the proxies, or over a second cache_peer link. > > Can you provide some config hints for both proxies please? The > SSL-related bits only as that's the unclear part. my_proxy: cache_peer example.com 3129 0 ssl upstream_proxy: https_port 3129 cert=/path/to/cert Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi Amos thanks for your reply. On 08/11/15 03:27, Amos Jeffries wrote: You are taking secured traffic. Removing the decryption. Then ... Yes. Then ... I expected it would make a CONNECT to the upstream proxy that would in turn do HTTPS to the target. I'm happy with the certificate mismatch. I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" Attempting to connect and send encryption to a non-encryted peer. Using a current version of Squid should fix that assertion and just not let the peer be used. Your Squid is a whole 2 months old. In the arms race that is SSL-Bump a few months is a long time. Squid still will not generate new CONNECT to non-encrypted peers though. So you will need to TLS enable the cache_peer link. If my proxy talks TLS with the upstream one - will that do the trick? I can upgrade to the latest Squid if that should fix the problem. However I'm a bit confused with the protocols / certificates involved.. [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> [target] What protocol is used between [my_proxy] and [upstream_proxy]? It's not CONNECT, is it? Is it TLS connection with something like "GET https://example.com/ HTTP/1.." passing through? Does that also mean the upstream one will have to ssl_bump the connection again and re-encrypt with yet another certificate to be able to read the target URL? And also - can I pass non-SSL traffic between my proxy and the upstream as well? Can you provide some config hints for both proxies please? The SSL-related bits only as that's the unclear part. Thanks in advance! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
On 8/11/2015 12:20 a.m., Michael Ludvig wrote: > Hi again > > Does anyone have any idea how to fix the below described problem? Please :) > You are taking secured traffic. Removing the decryption. Then ... >> i.e. auto-generates a fake SSL cert and makes a >> direct connection to the target. Except when the target is a peer receiving plain-text TCP connections (not TLS encrypted connections) ... >> >> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 >> - HIER_NONE/- - >> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET >> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html >> ... splat. Clear enough? If not the assertion below should make it clearer. >> Alternatively if I change the ssl_bumpsetup to this: >> >> acl step1 at_step SslBump1 >> ssl_bump peek step1 >> ssl_bump bump all >> >> I get a crash message in cache.log: >> >> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: >> "peer->use_ssl" Attempting to connect and send encryption to a non-encryted peer. Using a current version of Squid should fix that assertion and just not let the peer be used. Your Squid is a whole 2 months old. In the arms race that is SSL-Bump a few months is a long time. Squid still will not generate new CONNECT to non-encrypted peers though. So you will need to TLS enable the cache_peer link. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi again Does anyone have any idea how to fix the below described problem? Please :) Thanks! Michael On 05/11/15 16:01, Michael Ludvig wrote: Hi I've got a network without direct internet access where I have Squid 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 respectively). This Squid (proxy-test) doesn't have a direct Internet access either but can talk to a parent Squid (proxy-upstream) in other part of the network that does have Internet access. With HTTP it works well - client makes a request to http://www.example.com(port 80), router and iptables redirect the connection to Squid's port 8080, that intercepts the request and makes a request to the upstream proxy that serves it as usual. Here are the config options used: http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query never_direct allow all Now I wanted to do a similar thing for HTTPS: https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump bump all Without cache_peerit works as expected (when I enable temporary internet access), i.e. auto-generates a fake SSL cert and makes a direct connection to the target. However with cache_peerit doesn't work. I get HTTP/503 error from the proxy: 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 - HIER_NONE/- - 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html Alternatively if I change the ssl_bumpsetup to this: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" When I use this proxy in non-transparent mode, i.e. configuring the proxy on client to proxy-test:3128, it works: 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream - So I need to somehow turn the HTTPSrequest that lands on proxy-testinto CONNECTrequest that's forwarded to proxy-upstream. If Squid can't do that is there any other transparent-to-nontransparent proxy software that can do that? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Transparent HTTPS Squid proxy with upstream parent
Hi I've got a network without direct internet access where I have Squid 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 respectively). This Squid (proxy-test) doesn't have a direct Internet access either but can talk to a parent Squid (proxy-upstream) in other part of the network that does have Internet access. With HTTP it works well - client makes a request to http://www.example.com(port 80), router and iptables redirect the connection to Squid's port 8080, that intercepts the request and makes a request to the upstream proxy that serves it as usual. Here are the config options used: http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query never_direct allow all Now I wanted to do a similar thing for HTTPS: https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump bump all Without cache_peerit works as expected (when I enable temporary internet access), i.e. auto-generates a fake SSL cert and makes a direct connection to the target. However with cache_peerit doesn't work. I get HTTP/503 error from the proxy: 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 - HIER_NONE/- - 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html Alternatively if I change the ssl_bumpsetup to this: acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all I get a crash message in cache.log: 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl" When I use this proxy in non-transparent mode, i.e. configuring the proxy on client to proxy-test:3128, it works: 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream - So I need to somehow turn the HTTPSrequest that lands on proxy-testinto CONNECTrequest that's forwarded to proxy-upstream. If Squid can't do that is there any other transparent-to-nontransparent proxy software that can do that? Thanks! Michael ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
