Re: [squid-users] squid ssl transparent proxy from Amos Jeffries on 2014-02-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 28 Feb 2014 13:44:43 +1300

On 28/02/2014 7:13 a.m., johnmccain_2_at_libero.it wrote:
> hi everyone,
>
> i hope someone can help me :) i have this problem:
>
> squid is running as a ssl transparent proxy, and at the moment it's receiving
> all the traffic with these two iptables rules:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port
> 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port
> 3130
>
> so far no problem at all. everything works perfect ... but when i add any
> simple acl to block a ssl website, i get this browser's error: ssl connection
> error (ERR_SSL_PROTOCOL_ERROR)
>
> also, if i try to run squid with the line currently commented in the conf
> pasted below, i get a certificate error (domain mismatch) from the client.
>
> http_port 3128 intercept
> https_port 3130 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxy_matrix-
> test_com.crt key=/usr/local/squid/ssl_cert/squid.key
> acl broken_sites dstdomain google.it
> ssl_bump none localnet
> ssl_bump none broken_sites
> #ssl_bump server-first all

That looks to me like you are not decrypting (bumping) anything at all
with this config.

If so, then any ACL will be causing HTTP plain-text response to go back
to TLS connection attempts. The browser will of course barf at that.

You can verify that with a simple test log:
acl foo myportname 3130
access_log stdio:/foo.log squid foo

- it should log some requests going through with full URLs with visible
path portions (not the truncated ones).

You need to uncomment the "ssl_bump server-first allow all" line and
ensure that the bumping is working there before you can move on to use
ACLs to control the traffic much.

> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> (proxy_matrix-test_com.crt is signed by a recognized certification authority)

Is it a leaf certificate or a signing cert they approved?

There are some strict restrictions on CA distributing anything other
than leaf certificates, and Squid requires a signing cert.

Amos
Received on Fri Feb 28 2014 - 00:44:53 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 28 2014 - 12:00:06 MST