Re: [squid-users] Re: HTTPS traffic in normal transparent proxy
On 11/2/2012 6:23 PM, Markus wrote: Ok. I only have internet access via a http/s proxy. In your case the proxy server generates a new https request directly to the SSL-webserver but in my case the request must be send via parent http/s proxy. I only enabled dns-requests for this one virtual machine that transparent-mode works. For this I wrote a dns server which can resolv the domain name via http-proxy.;-) is this parent proxy is only for https? can it intercept connections? if it is intercepting ssl connections you can mark + route any ssl connection. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Ah right I see, so a different use case :-) > Date: Fri, 2 Nov 2012 09:23:25 -0700 > From: m.ferlit...@gmail.com > To: squid-users@squid-cache.org > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy > > Ok. > I only have internet access via a http/s proxy. > In your case the proxy server generates a new https request directly to the > SSL-webserver but in my case the request must be send via parent http/s > proxy. > > I only enabled dns-requests for this one virtual machine that > transparent-mode works. > For this I wrote a dns server which can resolv the domain name via > http-proxy. ;-) > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657210.html > Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
nope, I don't forward the https request through another proxy. Just use the config I posted in my previous email and it should work. > Date: Fri, 2 Nov 2012 08:39:01 -0700 > From: m.ferlit...@gmail.com > To: squid-users@squid-cache.org > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy > > Cool! > > This was my next idea - to try other release of squid. > > But you don't forward the https request through a other proxy!? > > cache_peer http/s proxy parent 8080 0 default.. > > Did you try this or should it also work? > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657208.html > Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
Ok, here are my results: 3.1.2 -> didn't managed to get SSL interception working 3.2.3 -> didn't managed to get SSL interception working 3.3.0.1 -> WORKS! What I did: wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.0.1.tar.gz tar xfvz squid-3.3.0.1.tar.gz ./configure --enable-ssl --enable-ssl-crtd make all make install cd /usr/local/squid mkdir ssl_cert cd ssl_cert openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem openssl x509 -in myCA.pem -outform DER -out myCA.der /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db (plz ensure that '/usr/local/squid/var/lib/' exists) chown -R nobody /usr/local/squid/var/lib/ssl_db Config (/usr/local/squid/etc/squid.conf): http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem always_direct allow all ssl_bump allow all # the following two options are unsafe and not always necessary: sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl our_networks src http_access allow our_networks sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 Ensure that /usr/local/squid/var/logs/access.log and /usr/local/squid/var/logs/cache.log exists (the dirty way: touch & chmod 777). In short: Use 3.3 beta and you wont have any problems. If I would have knew that before I wouldn't have had to spend 2 days in with Squid 3.1.2 and 3.2.3 > From: heinrichhirtze...@hotmail.com > To: m.ferlit...@gmail.com; squid-users@squid-cache.org > Date: Fri, 2 Nov 2012 13:36:42 +0100 > Subject: RE: [squid-users] Re: HTTPS traffic in normal transparent proxy > > > > Could you resolve this issue? > Na, unfortunately not. I've tried some other squid configurations and now I'm > getting "Invalid URL: /". > I'm currently setting up a VM with squid 3.3. (beta), will post the test > result here as soon as I have them. > > > I thought that ssl-bump was made for this. In my case the security is > > unimportant. But why it not works? > If you have an answer to that question please let me know :-) > > > > Date: Fri, 2 Nov 2012 05:31:36 -0700 > > From: m.ferlit...@gmail.com > > To: squid-users@squid-cache.org > > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy > > > > Could you resolve this issue? > > > > I only tried it with firefox on clients. But I think that IE has same > > problems. > > > > I thought that ssl-bump was made for this. In my case the security is > > unimportant. But why it not works? > > > > > > > > -- > > View this message in context: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html > > Sent from the Squid - Users mailing list archive at Nabble.com. >
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
> Could you resolve this issue? Na, unfortunately not. I've tried some other squid configurations and now I'm getting "Invalid URL: /". I'm currently setting up a VM with squid 3.3. (beta), will post the test result here as soon as I have them. > I thought that ssl-bump was made for this. In my case the security is > unimportant. But why it not works? If you have an answer to that question please let me know :-) > Date: Fri, 2 Nov 2012 05:31:36 -0700 > From: m.ferlit...@gmail.com > To: squid-users@squid-cache.org > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy > > Could you resolve this issue? > > I only tried it with firefox on clients. But I think that IE has same > problems. > > I thought that ssl-bump was made for this. In my case the security is > unimportant. But why it not works? > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html > Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
> Date: Fri, 2 Nov 2012 05:13:41 -0700 > From: m.ferlit...@gmail.com > To: squid-users@squid-cache.org > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy > > Yes, I know but I have the problem that no https site will be opend on the > tablet or virtual machine. > > I can accept the untrustable certificate but website will not be opened. > When I try to open https://outlook.com, in cache.log I see that the > webbrowser tries to forward to http://outlook.com. Firefox browser detects > an endless loop. > > Is it possible to route https requests on a transparent squid through a > other parent https proxy? > +1, have had the same problem. > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657203.html > Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: HTTPS traffic in normal transparent proxy
2012/11/2 Markus : > Ok, I understand but I thought that sslbump realize it so that the encrypted > data from client will be decrypted and it will be encrypted before sending > the request to parent proxy (man-in-the-middle). > This also should word with https, shouldn't? > > Can I fix this issue for me? Security is not important, because I only use > it for the market on my tablet which needs https and no proxy-support. Well unless you installed the cert you are using for your MITM attack as a trusted CA on your client device you'll see the warning, that's kind of the point of SSL. And with android (and chorme?) & google sites I think you'll see it even if you install it since they hava a whitelist of CAs for google domains, this was afaik how the Iranian forged google certs were discovered (diginotar). Regards, Eli > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657201.html > Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: HTTPS traffic in normal transparent proxy
On 11/1/2012 6:29 PM, Markus wrote: Is there a problem that the transparent https request will be routed via the parent proxy? Regards, Markus There is a problem with security using a parent proxy since while you intercept the https connection you can't use CONNECT method on a cache-peer as a reliable one or at least that what I remember. If you will think on what happens on a proxy connection to ssl site you will understand it a bit. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il