Hi, I'm currently trying to configure transparent SSL proxying and running into a strange error that has me scratching my head for hours. I'm using Squid 4.11 (I also tried this with 4.12) with SSL support from here - http://squid411.diladele.com/ubuntu/ on Ubuntu 18.04.
I set up the necessary iptables forwarding ports and SSL certificates and it sometimes works (as you will see below). My current configuration adds just the following to the default squid.conf file: # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # include /etc/squid/conf.d/* # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet debug_options ALL,1, 33,2 2 28,9 http_port 3129 intercept https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squid-ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB acl whitelist ssl::server_name .httpbin.org acl whitelist_http ssl::server_name .httpbin.org acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump splice all http_access allow whitelist http_access allow whitelist_http # And finally deny all other access to this proxy http_access deny all so the above configuration should allow anyone with access to the Squid proxy access to httpbin.org over both HTTP and HTTPS when I try to access: http://httpbin.org (not SSL) it works when I try to access: https://httpbin.org it fails as shown below (I'm running this on the Squid proxy machine itself): $ wget https://httpbin.org --2020-08-24 17:48:34-- https://httpbin.org/ Resolving httpbin.org (httpbin.org)... 54.236.246.173, 3.220.112.94 Connecting to httpbin.org (httpbin.org)|54.236.246.173|:443... connected. ERROR: cannot verify httpbin.org's certificate, issued by ‘O=Internet Widgits Pty Ltd,ST=Some-State,C=AU’: Self-signed certificate encountered. To connect to httpbin.org insecurely, use `--no-check-certificate'. $ wget https://httpbin.org --no-check-certificate --2020-08-24 17:48:40-- https://httpbin.org/ Resolving httpbin.org (httpbin.org)... 3.220.112.94, 54.236.246.173 Connecting to httpbin.org (httpbin.org)|3.220.112.94|:443... connected. WARNING: cannot verify httpbin.org's certificate, issued by ‘O=Internet Widgits Pty Ltd,ST=Some-State,C=AU’: Self-signed certificate encountered. HTTP request sent, awaiting response... 403 Forbidden 2020-08-24 17:48:40 ERROR 403: Forbidden. looking at access.log shows: 1598305800.974 2 192.168.123.214 TCP_DENIED/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- - for the first request (without the --no-check-certificate) and the following for the 2nd request (with the --no-check-certificate): 1598305812.292 3 192.168.123.214 TCP_DENIED/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- - 1598305812.300 2 192.168.123.214 NONE/403 3795 GET https://httpbin.org/ - HIER_NONE/- text/html looking at cache.log shows: # cat /var/log/squid/cache.log | grep -i "28" | grep -i httpbin 2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org 2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org 2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org 2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org so it never matches on the httpbin.org now, if I add the following line to my configuration: http_access allow localnet right before the: http_access deny all line it works and I see the following in access.log: 1598305979.004 4 192.168.123.214 NONE/200 0 CONNECT 54.236.246.173:443 - HIER_NONE/- - 1598305980.016 1012 192.168.123.214 TCP_TUNNEL/200 15370 CONNECT httpbin.org:443 - ORIGINAL_DST/54.236.246.173 - and I see the following in cache.log: # cat /var/log/squid/cache.log | grep -i "28" | grep -i httpbin 2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org 2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:54.236.246.173 <> .httpbin.org 2020/08/24 17:52:59.005 kid1| 28,3| RegexData.cc(43) match: checking 'httpbin.org:443' 2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(42) match: checking 'httpbin.org' 2020/08/24 17:52:59.005 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:httpbin.org <> .httpbin.org 2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(47) match: 'httpbin.org' found What's puzzling is why adding the 'allow localnet' line changes the ACL logic for .httpbin.org and why the original configuration does not work. Any ideas? Thanks PS. I reproduced the exact same scenario on Ubuntu 20.04 with Squid 4.12
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
