Re: [squid-users] squid ssl transparent proxy
On 28/02/2014 7:13 a.m., johnmccai...@libero.it wrote: > hi everyone, > > i hope someone can help me :) i have this problem: > > squid is running as a ssl transparent proxy, and at the moment it's receiving > all the traffic with these two iptables rules: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port > 3128 > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT > --to-port > 3130 > > so far no problem at all. everything works perfect ... but when i add any > simple acl to block a ssl website, i get this browser's error: ssl connection > error (ERR_SSL_PROTOCOL_ERROR) > > also, if i try to run squid with the line currently commented in the conf > pasted below, i get a certificate error (domain mismatch) from the client. > > http_port 3128 intercept > https_port 3130 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxy_matrix- > test_com.crt key=/usr/local/squid/ssl_cert/squid.key > acl broken_sites dstdomain google.it > ssl_bump none localnet > ssl_bump none broken_sites > #ssl_bump server-first all That looks to me like you are not decrypting (bumping) anything at all with this config. If so, then any ACL will be causing HTTP plain-text response to go back to TLS connection attempts. The browser will of course barf at that. You can verify that with a simple test log: acl foo myportname 3130 access_log stdio:/foo.log squid foo - it should log some requests going through with full URLs with visible path portions (not the truncated ones). You need to uncomment the "ssl_bump server-first allow all" line and ensure that the bumping is working there before you can move on to use ACLs to control the traffic much. > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s > /usr/local/squid/var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > (proxy_matrix-test_com.crt is signed by a recognized certification authority) Is it a leaf certificate or a signing cert they approved? There are some strict restrictions on CA distributing anything other than leaf certificates, and Squid requires a signing cert. Amos
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
On 10/18/2013 04:59 AM, Larry Zhao wrote: Hi, Eliezer, Yes, my problem to solve is only to proxy to this specific host, no other subdomains need considering. Well it depends... If you want to intercept only one DOMAIN or one tree of domains you need to issue different certificates or a mimic of a certificate. Also you need the clients to accept certificates from you own server. It's not that simple just note that.. And to be honest, I am new to this part, from what I could get from the page you mentioned, I need to use ssl-bump? Am I right? If you have one combined key\pem file of both the private key and the certificate you can use only the cert part.. take a small peak at: https://workaround.org/certificate-authority I will continue with it later. Eliezer -- Cheers ~ Larry On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru wrote: Hey, Only to this specific host or also all the subdomains etc.. It differs a bit.. A small look at this wiki: http://wiki.squid-cache.org/Features/MimicSslServerCert Will calrify some doubts and situations which you will might see some problem. Eliezer On 10/17/2013 06:44 PM, Larry Zhao wrote: Hi, Guys, I am trying to setup a SSL proxy for one of my internal servers to visit `https://www.googleapis.com` using Squid, to make my Rails application on that server to reach `googleapis.com` via the proxy. I am new to this, so my approach is to setup a SSL transparent proxy with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of ssl key and crt, and configure squid like this: http_port 443 transparent cert=/home/larry/ssl/server.csr key=/home/larry/ssl/server.key And leaves almost all other configurations default. The authorization of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 Oct 17 15:45 ssl` Back on my dev laptop, I put ` www.googleapis.com` in my `/etc/hosts` to make the call goes to my proxy server. But when I try it in my rails application, I got: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol And I also tried with openssl in cli: openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 | grep "^SSL" SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:error in SSLv2/v3 read server hello A Where did I do wrong? -- Cheers ~ Larry
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Based on more general experience - sorry, no specific Squid expertise to help - that line stood out to me. The cert entry should reference a .cer/crt file (in PEM format). The use of a CSR is wrong. --bill > On Oct 17, 2013, at 9:25 AM, Larry Zhao wrote: > > Hi, Bill Thanks a lot for helping. > > if what you mean is here: http_port 443 transparent > cert=/home/larry/ssl/server.csr key=/home/larry/ssl/server.key > > Yes I am sure that's a csr file at that location. > -- > > Cheers ~ > > Larry > > >> On Fri, Oct 18, 2013 at 12:00 AM, Bill Houle wrote: >> Did you really point the Cert to the CSR (CertReq file), or is that a typo? >> >> --bill >> >> >> >> >>> On Oct 17, 2013, at 8:45 AM, Larry Zhao wrote: >>> >>> Hi, Guys, >>> >>> >>> I am trying to setup a SSL proxy for one of my internal servers to >>> visit `https://www.googleapis.com` using Squid, to make my Rails >>> application on that server to reach `googleapis.com` via the proxy. >>> >>> >>> I am new to this, so my approach is to setup a SSL transparent proxy >>> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of >>> ssl key and crt, and configure squid like this: >>> >>> >>> http_port 443 transparent cert=/home/larry/ssl/server.csr >>> key=/home/larry/ssl/server.key >>> >>> >>> And leaves almost all other configurations default. The authorization >>> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 >>> Oct 17 15:45 ssl` >>> >>> >>> Back on my dev laptop, I put ` www.googleapis.com` in >>> my `/etc/hosts` to make the call goes to my proxy server. >>> >>> >>> But when I try it in my rails application, I got: >>> >>> >>> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: >>> unknown protocol >>> >>> >>> And I also tried with openssl in cli: >>> >>> >>> openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 >>> | grep "^SSL" >>> >>> SSL_connect:before/connect initialization >>> >>> SSL_connect:SSLv2/v3 write client hello A >>> >>> SSL_connect:error in SSLv2/v3 read server hello A >>> >>> SSL_connect:error in SSLv2/v3 read server hello A >>> >>> >>> >>> Where did I do wrong? >>> >>> -- >>> >>> Cheers ~ >>> >>> Larry
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Hi, Guys, I found my problem, the problem is I should use the directive https_port instead of http_port for port 443. After I change the config in squid.conf to https_port 443 cert=/home/larry/ssl/server.crt key=/home/larry/ssl/server.key ssl-bump transparent I restarted squid and found this in the log: (ssl_crtd): Uninitialized SSL certificate database directory: /opt/squid3/var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /opt/squid3/var/lib/ssl_db". So I go and run that command: sudo -u proxy ./ssl_crtd -c -s /opt/squid3/var/lib/ssl_db but it results in error: Initialization SSL db... ./ssl_crtd: Cannot create /opt/squid3/var/lib/ssl_db I can't find further information on why this failed...need help.. -- Cheers ~ Larry On Fri, Oct 18, 2013 at 9:59 AM, Larry Zhao wrote: > Hi, Eliezer, > > Yes, my problem to solve is only to proxy to this specific host, no > other subdomains need considering. > > And to be honest, I am new to this part, from what I could get from > the page you mentioned, I need to use ssl-bump? Am I right? > -- > > Cheers ~ > > Larry > > > On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru > wrote: >> Hey, >> >> Only to this specific host or also all the subdomains etc.. >> It differs a bit.. >> A small look at this wiki: >> http://wiki.squid-cache.org/Features/MimicSslServerCert >> >> Will calrify some doubts and situations which you will might see some >> problem. >> >> Eliezer >> >> >> On 10/17/2013 06:44 PM, Larry Zhao wrote: >>> >>> Hi, Guys, >>> >>> >>> I am trying to setup a SSL proxy for one of my internal servers to >>> visit `https://www.googleapis.com` using Squid, to make my Rails >>> application on that server to reach `googleapis.com` via the proxy. >>> >>> >>> I am new to this, so my approach is to setup a SSL transparent proxy >>> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of >>> ssl key and crt, and configure squid like this: >>> >>> >>> http_port 443 transparent cert=/home/larry/ssl/server.csr >>> key=/home/larry/ssl/server.key >>> >>> >>> And leaves almost all other configurations default. The authorization >>> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 >>> Oct 17 15:45 ssl` >>> >>> >>> Back on my dev laptop, I put ` www.googleapis.com` in >>> my `/etc/hosts` to make the call goes to my proxy server. >>> >>> >>> But when I try it in my rails application, I got: >>> >>> >>> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: >>> unknown protocol >>> >>> >>> And I also tried with openssl in cli: >>> >>> >>> openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 >>> | grep "^SSL" >>> >>> SSL_connect:before/connect initialization >>> >>> SSL_connect:SSLv2/v3 write client hello A >>> >>> SSL_connect:error in SSLv2/v3 read server hello A >>> >>> SSL_connect:error in SSLv2/v3 read server hello A >>> >>> >>> >>> Where did I do wrong? >>> >>> -- >>> >>> Cheers ~ >>> >>> Larry >>> >>
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Hi, Eliezer, Yes, my problem to solve is only to proxy to this specific host, no other subdomains need considering. And to be honest, I am new to this part, from what I could get from the page you mentioned, I need to use ssl-bump? Am I right? -- Cheers ~ Larry On Fri, Oct 18, 2013 at 2:48 AM, Eliezer Croitoru wrote: > Hey, > > Only to this specific host or also all the subdomains etc.. > It differs a bit.. > A small look at this wiki: > http://wiki.squid-cache.org/Features/MimicSslServerCert > > Will calrify some doubts and situations which you will might see some > problem. > > Eliezer > > > On 10/17/2013 06:44 PM, Larry Zhao wrote: >> >> Hi, Guys, >> >> >> I am trying to setup a SSL proxy for one of my internal servers to >> visit `https://www.googleapis.com` using Squid, to make my Rails >> application on that server to reach `googleapis.com` via the proxy. >> >> >> I am new to this, so my approach is to setup a SSL transparent proxy >> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of >> ssl key and crt, and configure squid like this: >> >> >> http_port 443 transparent cert=/home/larry/ssl/server.csr >> key=/home/larry/ssl/server.key >> >> >> And leaves almost all other configurations default. The authorization >> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 >> Oct 17 15:45 ssl` >> >> >> Back on my dev laptop, I put ` www.googleapis.com` in >> my `/etc/hosts` to make the call goes to my proxy server. >> >> >> But when I try it in my rails application, I got: >> >> >> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: >> unknown protocol >> >> >> And I also tried with openssl in cli: >> >> >> openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 >> | grep "^SSL" >> >> SSL_connect:before/connect initialization >> >> SSL_connect:SSLv2/v3 write client hello A >> >> SSL_connect:error in SSLv2/v3 read server hello A >> >> SSL_connect:error in SSLv2/v3 read server hello A >> >> >> >> Where did I do wrong? >> >> -- >> >> Cheers ~ >> >> Larry >> >
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Hey, Only to this specific host or also all the subdomains etc.. It differs a bit.. A small look at this wiki: http://wiki.squid-cache.org/Features/MimicSslServerCert Will calrify some doubts and situations which you will might see some problem. Eliezer On 10/17/2013 06:44 PM, Larry Zhao wrote: Hi, Guys, I am trying to setup a SSL proxy for one of my internal servers to visit `https://www.googleapis.com` using Squid, to make my Rails application on that server to reach `googleapis.com` via the proxy. I am new to this, so my approach is to setup a SSL transparent proxy with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of ssl key and crt, and configure squid like this: http_port 443 transparent cert=/home/larry/ssl/server.csr key=/home/larry/ssl/server.key And leaves almost all other configurations default. The authorization of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 Oct 17 15:45 ssl` Back on my dev laptop, I put ` www.googleapis.com` in my `/etc/hosts` to make the call goes to my proxy server. But when I try it in my rails application, I got: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol And I also tried with openssl in cli: openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 | grep "^SSL" SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:error in SSLv2/v3 read server hello A Where did I do wrong? -- Cheers ~ Larry
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Hi, Bill Thanks a lot for helping. if what you mean is here: http_port 443 transparent cert=/home/larry/ssl/server.csr key=/home/larry/ssl/server.key Yes I am sure that's a csr file at that location. -- Cheers ~ Larry On Fri, Oct 18, 2013 at 12:00 AM, Bill Houle wrote: > Did you really point the Cert to the CSR (CertReq file), or is that a typo? > > --bill > > > > >> On Oct 17, 2013, at 8:45 AM, Larry Zhao wrote: >> >> Hi, Guys, >> >> >> I am trying to setup a SSL proxy for one of my internal servers to >> visit `https://www.googleapis.com` using Squid, to make my Rails >> application on that server to reach `googleapis.com` via the proxy. >> >> >> I am new to this, so my approach is to setup a SSL transparent proxy >> with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of >> ssl key and crt, and configure squid like this: >> >> >>http_port 443 transparent cert=/home/larry/ssl/server.csr >> key=/home/larry/ssl/server.key >> >> >> And leaves almost all other configurations default. The authorization >> of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 >> Oct 17 15:45 ssl` >> >> >> Back on my dev laptop, I put ` www.googleapis.com` in >> my `/etc/hosts` to make the call goes to my proxy server. >> >> >> But when I try it in my rails application, I got: >> >> >>SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: >> unknown protocol >> >> >> And I also tried with openssl in cli: >> >> >>openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 >> | grep "^SSL" >> >>SSL_connect:before/connect initialization >> >>SSL_connect:SSLv2/v3 write client hello A >> >>SSL_connect:error in SSLv2/v3 read server hello A >> >>SSL_connect:error in SSLv2/v3 read server hello A >> >> >> >> Where did I do wrong? >> >> -- >> >> Cheers ~ >> >> Larry
Re: [squid-users] Squid SSL transparent proxy - SSL_connect:error in SSLv2/v3 read server hello A
Did you really point the Cert to the CSR (CertReq file), or is that a typo? --bill > On Oct 17, 2013, at 8:45 AM, Larry Zhao wrote: > > Hi, Guys, > > > I am trying to setup a SSL proxy for one of my internal servers to > visit `https://www.googleapis.com` using Squid, to make my Rails > application on that server to reach `googleapis.com` via the proxy. > > > I am new to this, so my approach is to setup a SSL transparent proxy > with Squid. I build `Squid 3.3` on Ubuntu 12.04, generated a pair of > ssl key and crt, and configure squid like this: > > >http_port 443 transparent cert=/home/larry/ssl/server.csr > key=/home/larry/ssl/server.key > > > And leaves almost all other configurations default. The authorization > of the dir that holds key/crt is `drwxrwxr-x 2 proxy proxy4096 > Oct 17 15:45 ssl` > > > Back on my dev laptop, I put ` www.googleapis.com` in > my `/etc/hosts` to make the call goes to my proxy server. > > > But when I try it in my rails application, I got: > > >SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: > unknown protocol > > > And I also tried with openssl in cli: > > >openssl s_client -state -nbio -connect www.googleapis.com:443 2>&1 > | grep "^SSL" > >SSL_connect:before/connect initialization > >SSL_connect:SSLv2/v3 write client hello A > >SSL_connect:error in SSLv2/v3 read server hello A > >SSL_connect:error in SSLv2/v3 read server hello A > > > > Where did I do wrong? > > -- > > Cheers ~ > > Larry