Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
I reconfigured add " --with-nat-devpf " (squid-3.5.24 on FreeBSD 9.1) This issue *has been resolved* thanks to Amos Jeffries The follow is my squid version and configure. Squid Cache: Version 3.5.24-20170331-r14150 Service Name: squid configure options: '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/squid' '--datadir=/usr/share/squid' '--enable-icap-client' '--enable-ssl' '--with-pthreads' '--enable-pf-transparent' '--with-nat-devpf' '--enable-ssl-crtd' '--enable-ecap' '--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' --enable-ltdl-convenience -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682748.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
test case 1 : - I changed my squid setting (don't use intercept mode) http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB thab client Web Browser set proxy to 192.168.95.81:3129 squid ssl-bump * OK * squid access.log has the client access log. test case 2: - but I want use transparent mode (intercept with PF rdr). intercept mode add the following acl rule : acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts . https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB access.log no appear TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 but client web browser has been waiting and no response. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682735.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response -- test case 2: 1. squid.conf use http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 2. web browser use proxy server x.x.x.x 3129 test result : ssl bump is OK -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682734.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
On 06/07/2017 03:37 AM, Jason Chiu wrote: > 1495699856.074 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 > *Need to adjust which part of the settings?* If that connection is really trying to connect to 127.0.0.1:3129 from Squid point of view, then your interception setup is probably deficient. Intercepted to-port 443 connections should be seen by Squid as going to port 443 (while being received at Squid port 3129). Interception is not (or should not be) just port redirection. This has nothing to do with Squid configuration though. Once you fix interception (or if you refuse to fix it), if Squid is denying access, then you should adjust your http_access rules. Your rules must allow fake CONNECT request that represent intercepted HTTPS connections. For example, the above TCP_DENIED line is probably logged because your current interception setup triggers this (correct) rule: > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports And yes, it might have "worked" in the past because earlier Squids were doing fewer checks that they should be doing. Alex. > # > # Recommended minimum Access Permission configuration: > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > http_port 3128 > > # Uncomment and adjust the following to add a disk cache directory. > #cache_dir ufs /var/squid/cache/squid 100 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /var/squid/cache/squid > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > #http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > ssl_bump peek step1 all > ssl_bump bump all > > # sslcrtd > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M > 10MB > sslcrtd_children 5 > > # sslproxy setting > sslproxy_capath /var/squid/ssl_db/certs > sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE > #sslproxy_cipher > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > sslproxy_cert_error allow all > sslproxy_cert_adapt setValidAfter all > > sslproxy_flags DONT_VERIFY_PEER > > > pf.conf > --- > #internal interface > int_if = '{em1}' > > # Normalization: reassemble fragments resolve or reduce traffic ambiguities. > scrub in all > set skip on lo0 > > #sslTP rdr setting > rdr_from = 'any' > rdr_to = 'any; > rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 -> > 127.0.0.1 port 3129 > pass in all no state > pass out all no state > pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any > keep state > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
I also tested the following cases test case 1: add the following settings in squid.conf acl bumpedPorts myportname 3129 http_access allow CONNECT bumpedPorts test results: ssl bump is failed 1. access.log no record 2. web browser has been waiting , no response -- test case 2: 1. squid.conf use http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 2. web browser use proxy server x.x.x.x 3129 test result : ssl bump is OK -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712p4682713.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode
I had a FreeBSD 9.1 bridge (em0, em1) environment, Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1: 3129) Squid *3.3.11* ssl bump is OK. The following is the setting of squid 3.3.11 Squid Cache: Version 3.3.11-20140220-r12672 Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc / squid' '--localstatedir = / var / squid' '--datadir = / usr / share / squid' Enable-icap-client '' --enable-ssl '' --with-pthreads '' --enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap '' PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience Recently in order to allow squid can signing generated sha256 certificates , upgrade squid to 3.5.24 version. But ssl bump * is not OK * Access.log always appears the following message: 1495699856.074 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - 1495699857.720 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - 1495701676.054 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - 1495701676.717 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - 1495701677.060 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - 1495701677.354 0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- - *Need to adjust which part of the settings?* The following is my settings: Squid Cache: Version 3.5.24-20170331-r14150 Service Name: squid configure options: '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/squid' '--datadir=/usr/share/squid' '--enable-icap-client' '--enable-ssl' '--with-pthreads' '--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap' '--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' --enable-ltdl-convenience squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/squid/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump bump all # sslcrtd sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M 10MB sslcrtd_children 5 # sslproxy setting sslproxy_capath /var/squid/ssl_db/certs sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE #sslproxy_cipher