Re: [squid-users] transparent https question from Amos Jeffries on 2013-12-14 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 15 Dec 2013 15:07:55 +1300

On 15/12/2013 7:20 a.m., Marcelo Barbudas wrote:
> Hi!
>
> I'm trying to get a transparent https proxy working with squid.
>
> My current flow is like this:
> 1) user makes request to my dns server for https://x.com
> 2) x.com is resolved to a server I control
> 3) the 443 port on the server I control redirects to squid.
>
> When I make the request squid shows the following message:
>
> The following error was encountered while trying to retrieve the URL:
> ://IP_OF_SERVER_I_CONTROL
> The system returned: (111) Connection refused
>
> I'm guessing squid isn't looking at the request header to figure out
> the proper host (why is it the ip and not https://x.com?)

On port 443 traffic the Host: header is buried inside the encryption. So
is the whole URL. Until the server contact has been established, certs
exchanged with the client and the first HTTP request received there is
no known Host header.

NP: the SSL cert domain name(s) can be wildcard or completely irrelevant
domain so is not reliable either.

This looks a bit like the server is not permitting your connection
attempt. The one that would otherwise give Squid the server cert and
details to pass to the client.
Is the server software running and listening on port 443 when this test
is made?

>
> I've attached my config below (debian defaults + ssl_bump).
>
> What am I doing wrong?
>
> My current config file is like this:
>
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all

You are testing from localhost? That is the only machine permitted
through this Squid. Although you did get Connection Refused instead of
403 Forbidden.

> https_port 9131 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/caCert.pem
> key=/etc/squid3/ssl/caKey.pem
> ssl_bump server-first all
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> always_direct allow all
>
> -M.
>

Amos
Received on Sun Dec 15 2013 - 02:08:01 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 15 2013 - 12:00:05 MST