On Jun 12, 2014, at 2:25 PM, Mike <mcsn...@afo.net> wrote:
On 6/12/2014 2:06 PM, Guy Helmer wrote:
On Jun 12, 2014, at 1:01 PM, Mike <mcsn...@afo.net> wrote:
I have been racking my brain trying to get this working and each time,it
refuses to connect to secure sites. In the end we need a working squid proxy
for SSL connections within the company network which will serve over 1000 users
(thus the larger 8MB cert cache size). We already have theinsecure HTTP proxy
working fine (thus the use of port 3129 below).
Since it will be SSL based, I know it needs https_port (not http_port),
ssl-bump, and intercept (required by ssl-bump). The https_port and ssl-bump
documentation also mentioned the preference for sslflags (which may or may not
be working in 3.HEAD) and cipher.
OS is Scientific Linux 6.5 (based on CentOS) fully up to date with yum. Server
is quad core 3.4GHz, 8GB DDR3 with no other uses (like web server, etc).
SELinux has been set to permissive mode so it only reports, doesn't block the
needed connections (although I also tested with it disabled and made no
difference).
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
Essential squid.conf lines (I have tested it with and without the "sslflags",
does not impact it working or not working):
https_port 3129 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
sslflags=DELAYED_AUTH
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Local certs have been created and self signed, and the .der cert has been
imported into the test browser (Firefox 30.0).
Squid info (includes the needed '--enable-ssl' '--enable-ssl-crtd'
'--with-openssl'):
[root@localhost ~]# squid -v
Squid Cache: Version 3.HEAD-20140127-r13248
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking'
'--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerber!
os_ldap_
group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
'--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2'
'--enable-esi' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads'
'--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
In the end testing with only the SSL proxy set to this server via port3129, it tries
loading the secure website for 2-3 minutes and then timesout. Checking "top",
it shows squid running at 12.1g VIRT, 2.0g RES, 54.5% of MEM (server has 8GB) and using
100% of CPU2. The ../squid/access.log and cache_access.log shows no new entries at all.
We had to disable thecache.log (cache_log /dev/null) as it continuously recorded
everything and quickly took up all the space on the 80GB hard drive.
So the question is what is going wrong that it is refusing to let ANY secure
site load and how can we get this resolved?
We greatly appreciate any help on this.
Mike
If I understand correctly, you are attempting to use port 3129 as a forward
proxy. If so, you shouldn’t need the “intercept” option on 3129, and you should
change it to http_port since squid will be directly receiving HTTP “CONNECT”
requests, not SSL connections.
Regards,
Guy
Guy,
According to
http://www.squid-cache.org/Versions/v3/3.HEAD/cfgman/https_port.html it says:
https_port: The socket address where Squid will listen for client requests made
over TLS or SSL connections.
Correct, but if you are configuring your browser to use this proxy for HTTPS, the
browser will start its connection to the specified port with HTTP, not SSL -- the
browser will initially send a plaintext "CONNECT xxx:443 HTTP/1.1” command, and
then the browser will start using SSL. The plaintext HTTP command needs to be
received at an http_port on the squid proxy, not https_port.
ssl-bump - blah blah "Requires tproxy or intercept.”
Yes, because browsers can not be configured to do an SSL connection to the
proxy - as I mention above, if you are configuring the browser, then the
browser starts its HTTPS requests with a plaintext HTTP command before shifting
to SSL. The only purpose for the https_port configuration parameter is to setup
a port for a “transparent” interception proxy (in which the browser is NOT
configured to talk to the proxy, but instead the proxy intercepts TCP
connections).
I have tried it all 3 ways, both with and without those 2 modes, and at least with
"intercept", it seems that squid is doing something by the i/o and squid
activity, although the logs remain empty.
Also according to the same documentation, since this will be SSL proxy (not standard insecure HTTP proxy),
"https_port" is required. Initially I did try it with "http_port" but it tries to treat
CONNECT requests like a normal insecure http request causing sslcrtd to constantly crash, taking squid down
with it. At least with "https_port 3129 intercept ssl-bump..." it doesn't crash and is the only
time it shows i/o and squid activity, thus my request to the squid-users group.
Thank you,
Mike
If you are configuring your browser to use the proxy for SSL, you will need to
use http_port with ssl-bump enabled. It does not make it a “standard insecure
HTTP proxy” but enables forward proxy of HTTPS traffic. I would suggest that
you install wireshark and capture the browser’s traffic to the proxy to verify
how this works.
If squid then has trouble with the ssl_crtd helpers, that is another issue that
requires resolution. The fact that squid does not crash when you are using
https_port likely indicates that squid and your browser have a failure to
communicate, and that is masking your ssl_crtd issue.
Hope this helps,
Guy