[squid-users] SSL-bump DNS lookup issue

Hi

I am trying to build a squid that runs ssl_bump and icap to allow me to
write a keyword filter for the kids that will cover ssl pages.

I have ssl_bump working and my icap client is also happily talking to squid.

for testing currently I have the icap disabled and I am just focusing on the
ssl_bump functions.

I have built squid as follows:

Squid Cache: Version 3.4.3
configure options: '--prefix=/usr' '--includedir=/usr/include'
'--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid3'
'--localstatedir=/var' '--sysconfdir=/etc/squid3' '--disable-snmp'
'--enable-delay-pools' '--enable-ssl' '--enable-ssl-crtd'
'--enable-linux-netfilter' '--enable-eui' '--enable-icap-client'
'--enable-gnuregex'

and set up the conf file as shown at the end of the message.

when I use the proxy and go to http://news.google.com

everything is fine and it all works OK

when I go to https://news.google.com

some elements (mainly graphics and thumbnails) fail to load and I get log
entries like this

2014/02/08 23:27:55.237| url.cc(386) urlParse: urlParse: Split URL
'ssl.gstatic.com:443' into proto='', host='ssl.gstatic.com', port='443',
path=''
2014/02/08 23:27:55.237| HttpHeader.cc(407) HttpHeader: init-ing hdr:
0x9908538 owner: 2
2014/02/08 23:27:55.237| HttpRequest.cc(70) HttpRequest: constructed,
this=0x9908528 id=56
2014/02/08 23:27:55.237| Address.cc(369) lookupHostIP: Given Non-IP
'ssl.gstatic.com': Name or service not known
2014/02/08 23:27:55.237| HttpHeader.cc(557) parse: parsing hdr: (0x9908538)
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:25.0) Gecko/20100101
Firefox/25.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: ssl.gstatic.com

if I do a lookup on the ssl.gstatic.com my local DNS (dnsmasq on the squid
host) returns a valid address straight away.

it also fails on

2014/02/08 23:27:54.623| peer_select.cc(265) peerSelectDnsPaths: Find IP
destination for: news.google.com:443' via news.google.com
2014/02/08 23:27:54.623| ipcache.cc(647) ipcache_nbgethostbyname:
ipcache_nbgethostbyname: Name 'news.google.com'.
2014/02/08 23:27:54.623| Address.cc(369) lookupHostIP: Given Non-IP
'news.google.com': Name or service not known
2014/02/08 23:27:54.623| ipcache.cc(695) ipcache_nbgethostbyname:
ipcache_nbgethostbyname: MISS for 'news.google.com'

And this is odd because it loads the page in the first place.

I have also tried a build with --disable-internal-dns and get the same
result (but I still use the local dnsmasq)

Does this hit any chords with anyone?

thanks in advance.

Darren Breeze

=========================== squid conf ==========================

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl
localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

minimum_object_size 0 KB
maximum_object_size 16 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports http_access deny CONNECT
!SSL_ports

# Only allow cachemgr access from localhost http_access allow localhost
manager http_access deny manager http_access allow localnet http_access
allow localhost

#http_access deny all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
reply_header_access Alternate-Protocol deny all http_port 3128 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/usr/local/squid3/ssl_cert/myCA.pem
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
# Or may be deny all according to your company policy # sslproxy_cert_error
deny all sslproxy_flags DONT_VERIFY_PEER sslproxy_options ALL
sslproxy_cert_adapt setCommonName sslcrtd_program /usr/lib/squid3/ssl_crtd
-s /var/lib/ssl_db -M 4MB sslcrtd_children 10 icap_enable off
icap_send_client_ip on icap_send_client_username on
icap_client_username_encode off icap_client_username_header
X-Authenticated-User icap_preview_enable off # icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0
icap://127.0.0.1:1345/outbound adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1345/inbound adaptation_access service_resp allow all
access_log /var/log/squid3/access.log squid cache_log
/var/log/squid3/cache.log icap_log /var/log/squid3/icap.log #
cache_store_log /var/log/squid/store.log # pid_filename /var/run/squid.pid
coredump_dir /var/cache/squid cache_effective_user squid
cache_effective_group squid debug_options ALL,1 93,9 94,9 dns_nameservers
127.0.0.1 #dns_nameservers 8.8.8.8 8.8.4.4
Received on Mon Feb 10 2014 - 02:52:25 MST