[squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

Thu, 23 Feb 2017 22:59:44 -0800 

Hi,
Sorry I am asking this question again. I am trying to setup HTTPS
proxy using ssl-bump. I have followed
steps mentioned in:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Following are Squid setup details:

Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid'
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--with-openssl'
'--enable-ssl-crtd' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'
'--enable-build-info=Ubuntu linux' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'


Following is my squid.conf file:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/squidCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \
dhparams=/etc/squid/ssl_cert/dhparam.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320


I get no errors while starting Squid. Following are the logs when Squid starts:

2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for
x86_64-pc-linux-gnu...
2017/02/23 09:59:53 kid1| Service Name: squid
2017/02/23 09:59:53 kid1| Process ID 26236
2017/02/23 09:59:53 kid1| Process Roles: worker
2017/02/23 09:59:53 kid1| With 65535 file descriptors available
2017/02/23 09:59:53 kid1| Initializing IP Cache...
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit:
idnsInit: attempt open DNS socket to: [::]
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit:
idnsInit: attempt open DNS socket to: 0.0.0.0
2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6
2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321)
idnsAddNameserver: idnsAddNameserver: Added nameserver #0
(172.31.0.2:53)
2017/02/23 09:59:53.756 kid1| Adding domain
ap-south-1.compute.internal from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350)
idnsAddPathComponent: idnsAddPathComponent: Added domain #0:
ap-south-1.compute.internal
2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32
'ssl_crtd' processes
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize:
urlInitialize: Initializing...
2017/02/23 09:59:53.779 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
2017/02/23 09:59:53.779 kid1| Store logging disabled
2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated
20164 objects
2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008
2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets
2017/02/23 09:59:53.779 kid1| Max Mem  size: 262144 KB
2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB
2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection
2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 
'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/image.png'
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 
'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/page_white_text.png'

****several urlParse logs like above. Removing them to shorten the
email. Further logs below...****

2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons.
2017/02/23 09:59:53.815 kid1| HTCP Disabled.
2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25
2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0
2017/02/23 09:59:53.815 kid1| Adaptation support is off.
2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket
connections at local=[::]:3128 remote=[::] FD 22 flags=9
2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped
HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41
2017/02/23 09:59:53| pinger: Initialising ICMP pinger ...
2017/02/23 09:59:53| pinger: ICMP socket opened.
2017/02/23 09:59:53| pinger: ICMPv6 socket opened
2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects



I tested this setup by providing proxy details to Firefox. Firefox was
able to show HTTP websites but when I tried to open an HTTPS website I
got following error:

2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD
7 flags=33

I googled this error and found this mail thread which had similar problems:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html

I found this link from the above thread. I modified the steps for
HTTPS from the below link:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Now my sysctl.conf is:

net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

My iptables -t nat -L result:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  ec2-35-154-101-8.ap-south-1.compute.amazonaws.com
anywhere             tcp dpt:https
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:https to:35.154.101.8:3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere


Once this was done, I tried to hit HTTPS website from Firefox and now
I get connection timeout error. Nothing shows in syslog, access.log or
cache.log. Could you please help me resolve this.

Thanks,
Michael
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to