Re: [squid-users] squid 3.2.0.17 + transparent + sslbump
Hi I know this question has been asked before but I didn't quite comprehend the answer. I have got squid working as an explicit SSL proxy using SSLbump with Dynamic SSL certs. I have also managed to get it working as a transparent proxy. When I try the combination of the above 2 it doesn't seem to work. It seems to be rewriting my https requests to http. Also dynamic ssl certs doesn't seem to be working. However squid definitely intercepts the request so it seems like the NAT bit is fine. I am not sure about the code in 3.2 but i faced a similar issue in 3.1.19 and i think the problem is still lurking in 3.2 as well. You might want to look at http://bugs.squid-cache.org/show_bug.cgi?id=2976. There is a hard-coded value that causes all requests to be forcibly written to http even https. You can reverse it via this patch http://bugs.squid-cache.org/attachment.cgi?id=2375 When I browse a website that's listening on 443 only I get Zero Sized Reply and when I browse a website that's listening on both 80/443 it works sometimes but the certificate is wrong. This person seems to have it working http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/ and I am pretty much copying his config. Here is my relevant config --- http_port 3128 transparent https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem always_direct allow all ssl_bump allow all # the following two options are unsafe and not always necessary: sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER -- Thanks Daniel -- Regards, -Ahmed Talha Khan
RE: [squid-users] squid 3.2.0.17 + transparent + sslbump
Thanks Ahmed, That worked, well sort of anyway. Squid is now successfully transparently intercepting SSL but as stated on the wiki, certificate rewrite doesn't work. So I guess the only real solution is explicit proxy. I tried to play around with WPAD + PAC but that is only useful when PCs are on a corporate network with centrally managed DNS/DHCP. My clients are home users with their own broadband routers which manage their own DHCP. So any ideas what I can do if I want to set up a proxy service for SSL with minimum effort required from users and no control of DHCP? Thanks Daniel -Original Message- From: Ahmed Talha Khan [mailto:aun...@gmail.com] Sent: 17 April 2012 10:21 To: Daniel Niasoff Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid 3.2.0.17 + transparent + sslbump Hi I know this question has been asked before but I didn't quite comprehend the answer. I have got squid working as an explicit SSL proxy using SSLbump with Dynamic SSL certs. I have also managed to get it working as a transparent proxy. When I try the combination of the above 2 it doesn't seem to work. It seems to be rewriting my https requests to http. Also dynamic ssl certs doesn't seem to be working. However squid definitely intercepts the request so it seems like the NAT bit is fine. I am not sure about the code in 3.2 but i faced a similar issue in 3.1.19 and i think the problem is still lurking in 3.2 as well. You might want to look at http://bugs.squid-cache.org/show_bug.cgi?id=2976. There is a hard-coded value that causes all requests to be forcibly written to http even https. You can reverse it via this patch http://bugs.squid-cache.org/attachment.cgi?id=2375 When I browse a website that's listening on 443 only I get Zero Sized Reply and when I browse a website that's listening on both 80/443 it works sometimes but the certificate is wrong. This person seems to have it working http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interce ption/ and I am pretty much copying his config. Here is my relevant config --- http_port 3128 transparent https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem always_direct allow all ssl_bump allow all # the following two options are unsafe and not always necessary: sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER -- Thanks Daniel -- Regards, -Ahmed Talha Khan
Re: [squid-users] squid 3.2.0.17 + transparent + sslbump
On 17/04/2012 10:16 p.m., Daniel Niasoff wrote: Thanks Ahmed, That worked, well sort of anyway. Squid is now successfully transparently intercepting SSL but as stated on the wiki, certificate rewrite doesn't work. So I guess the only real solution is explicit proxy. I tried to play around with WPAD + PAC but that is only useful when PCs are on a corporate network with centrally managed DNS/DHCP. My clients are home users with their own broadband routers which manage their own DHCP. So any ideas what I can do if I want to set up a proxy service for SSL with minimum effort required from users and no control of DHCP? You can publish the details of your proxy and PAC file, encouraging them to make use of it for faster Internet. Amos
RE: [squid-users] squid 3.2.0.17 + transparent + sslbump
I suppose so. Was hoping for a more magical solution that would just work. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 17 April 2012 11:21 To: squid-users@squid-cache.org Subject: Re: [squid-users] squid 3.2.0.17 + transparent + sslbump On 17/04/2012 10:16 p.m., Daniel Niasoff wrote: Thanks Ahmed, That worked, well sort of anyway. Squid is now successfully transparently intercepting SSL but as stated on the wiki, certificate rewrite doesn't work. So I guess the only real solution is explicit proxy. I tried to play around with WPAD + PAC but that is only useful when PCs are on a corporate network with centrally managed DNS/DHCP. My clients are home users with their own broadband routers which manage their own DHCP. So any ideas what I can do if I want to set up a proxy service for SSL with minimum effort required from users and no control of DHCP? You can publish the details of your proxy and PAC file, encouraging them to make use of it for faster Internet. Amos
RE: [squid-users] squid 3.2.0.17 + transparent + sslbump
On 17.04.2012 22:26, Daniel Niasoff wrote: I suppose so. Was hoping for a more magical solution that would just work. You are talking about a cross-ASN problem. Paste the consumer CPE devices is a whole other network scope, which just happens to be (probably) single-homed through yours. Government proxy farms and great firewall setups face the same problem with internal ISP networks. IETF HTTP WG is considering the problem, but there is nothing today which solves it magically. Amos -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: 17 April 2012 11:21 To: squid-users@squid-cache.org Subject: Re: [squid-users] squid 3.2.0.17 + transparent + sslbump On 17/04/2012 10:16 p.m., Daniel Niasoff wrote: Thanks Ahmed, That worked, well sort of anyway. Squid is now successfully transparently intercepting SSL but as stated on the wiki, certificate rewrite doesn't work. So I guess the only real solution is explicit proxy. I tried to play around with WPAD + PAC but that is only useful when PCs are on a corporate network with centrally managed DNS/DHCP. My clients are home users with their own broadband routers which manage their own DHCP. So any ideas what I can do if I want to set up a proxy service for SSL with minimum effort required from users and no control of DHCP? You can publish the details of your proxy and PAC file, encouraging them to make use of it for faster Internet. Amos
