Re: [squid-users] Trusted CA Certificate with ssl_bump

Thu, 17 Nov 2016 09:49:31 -0800 

Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

======================================
debug_options   ALL,1  33,2 28,9
http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key
cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 name=SEMP1 cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 name=SEMP2 

acl w3_semplixxxx dstdomain .semplixxxx.com
cache_peer_access SEMP1 allow w3_semplixxxx
cache_peer_access SEMP1 deny all

http_access allow w3_semplixxxx

=====================================

$ wget https://www.semplixxxx.com
--2016-11-17 19:34:49--  https://www.semplixxxx.com/
Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté. 
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Same error with the browser
=========================================
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE 

===========================================
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: id=0xf55ca8ed404 query ARP table 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: id=0xf55ca8ed404 query ARP on each interface (480 found) 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface lo 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:1 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:4 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:5 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:6 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:7 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:8 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface virbr0 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) clientProcessRequest: clientProcessRequest: Invalid Request 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 0x78737acd23c0 checking fast ACLs 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking access_log daemon:/var/log/squid/access.log 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking (access_log daemon:/var/log/squid/access.log line) 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished: 0x78737acd23c0 answer ALLOWED for match 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520 

Thanks for help
Patrick

Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
Many Thanks Alex. I will try in the next hours and let you if I am successful. 

Patrick


Le 16/11/2016 à 20:04, Alex Crow a écrit :


On 16/11/16 17:33, Patrick Chemla wrote:
Thanks for your answers, I am not doing anything illegal, I am trying to 
build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some
websites, and squid help me to send the traffic to the destination
website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of
VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I
need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never
succeed because of so many options, and this question: Does the traffic
between squid and the backend should be SSL? If yes, it's OK for me.
nothing illegal.
The second question: How to set up the SSL link on squid getting the SSL 
request and sending to the backend. Actually the backend can handle SSL
traffic, it's OK for me if I find the way to make squid handle the
traffic, according to the acls. squid must decrypt the request, compute
the acls, then re-crypt to send to the backend.
The reason I asked not to reencrypt is because of performances. All this 
is on the same server, from the host to the VMs and decrypt, the
reencrypt, then decrypt will be ressources consumming. But I can do it
like that.

Now, do you have any Howto, clear, that will help? I found many on
Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the
websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help

Patrick



You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and
set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:
http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to