About intercept https

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

About intercept https

Yurii
Hi to all. I need help.
The task is to configure squid in intercept mode to proxy http/https
traffic.

Installed Squid 4.10 (configuration: https://pastebin.com/Gg2VPr0v) Ubuntu
18.04. Redirect traffic from Mikrotik to Ubuntu (ip firewall mangle & ip
route: https://pastebin.com/5UrNcsEc), and there 80, 443 traffic to Squid
3129, 3130 (iptables: https://pastebin.com/kXxy8zHb).

DNS squid use the same as on client machines. In squid.conf /dns_v4_first
on/. DNS lookup time in access.log: https://pastebin.com/zdwHjRHk

There is a problem - long loading of http/https pages.  In the case of https
- /"Creating a secure connection"/, http - /"Waiting..."/ and so for 5-10
seconds.
Please, tell me what is wrong?

/*Squid.conf* is here -  https://pastebin.com/MX5mNi5q
*Localnet* - 10.3.198.0/24
*Mikrotik* - 10.3.198.254
*Squid* - 10.3.198.224/



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: About intercept https

Antony Stone
On Tuesday 25 February 2020 at 20:49:25, Yurii wrote:

> Hi to all. I need help.
> The task is to configure squid in intercept mode to proxy http/https
> traffic.

I cannot view any of the pastebin links you provide below.

Please just cut and paste the information into an email reply, so we can read
it here and then hopefully advise you.

> Installed Squid 4.10 (configuration: https://pastebin.com/Gg2VPr0v) Ubuntu
> 18.04. Redirect traffic from Mikrotik to Ubuntu (ip firewall mangle & ip
> route: https://pastebin.com/5UrNcsEc), and there 80, 443 traffic to Squid
> 3129, 3130 (iptables: https://pastebin.com/kXxy8zHb).
>
> DNS squid use the same as on client machines. In squid.conf /dns_v4_first
> on/. DNS lookup time in access.log: https://pastebin.com/zdwHjRHk
>
> There is a problem - long loading of http/https pages.  In the case of
> https - /"Creating a secure connection"/, http - /"Waiting..."/ and so for
> 5-10 seconds.
> Please, tell me what is wrong?
>
> /*Squid.conf* is here -  https://pastebin.com/MX5mNi5q
> *Localnet* - 10.3.198.0/24
> *Mikrotik* - 10.3.198.254
> *Squid* - 10.3.198.224/

Regards,


Antony.

--
Numerous psychological studies over the years have demonstrated that the
majority of people genuinely believe they are not like the majority of people.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: About intercept https

Yurii
squid configuration:
Squid Cache: Version 4.10
Service Name: squid
 
This binary uses OpenSSL 1.1.1  11 Sep 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
 
configure options:  '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native' '--disable-ipv6' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-ssl'
'--enable-ssl-crtd' '--with-openssl' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'

ip firewall mangle & route on Mikrotik:
/ip firewall mangle
add chain=prerouting src-address=10.3.198.0/24 dst-port=80 protocol=tcp
action=mark-routing new-routing-mark=to_squid
add chain=prerouting src-address=10.3.198.0/24 dst-port=443 protocol=tcp
action=mark-routing new-routing-mark=to_squid
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.3.198.224
routing-mark=to_squid scope=30 target-scope=10

iptables on Ubuntu:
# redirect HTTP to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 80 -j REDIRECT
--to-ports 3129
# redirect HTTPS to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 443 -j REDIRECT
--to-ports 3130

access.log:
1581426261.762   7924 10.3.198.8 TCP_TUNNEL/200 4602 CONNECT
facebook.com:443 - ORIGINAL_DST/facebook.com - DNS lookup 1  splice
facebook.com
1581426261.762   2598 10.3.198.8 TCP_TUNNEL/200 105429 CONNECT
www.softserveinc.com:443 - ORIGINAL_DST/www.softserveinc.com - DNS lookup -
splice www.softserveinc.com
1581426262.495   2073 10.3.198.8 NONE/200 0 CONNECT 185.60.216.35:443 -
HIER_NONE/- - DNS lookup -  splice www.facebook.com
1581426264.059   2101 10.3.198.8 NONE/200 0 CONNECT 185.60.216.19:443 -
HIER_NONE/- - DNS lookup -  splice static.xx.fbcdn.net
1581426267.809     22 10.3.198.8 NONE/200 0 CONNECT 104.17.212.204:443 -
HIER_NONE/- - DNS lookup 22  splice js.hs-scripts.com
1581426269.372   2037 10.3.198.8 NONE/200 0 CONNECT 185.60.216.35:443 -
HIER_NONE/- - DNS lookup -  splice www.facebook.com
1581426269.376   2041 10.3.198.8 NONE/200 0 CONNECT 152.199.19.161:443 -
HIER_NONE/- - DNS lookup -  splice cdn-cws-prod.azureedge.net
1581426270.172   2069 10.3.198.8 NONE/200 0 CONNECT 185.60.216.19:443 -
HIER_NONE/- - DNS lookup -  splice connect.facebook.net
1581426270.206   2103 10.3.198.8 NONE/200 0 CONNECT 216.58.215.78:443 -
HIER_NONE/- - DNS lookup -  splice www.google-analytics.com
1581426270.213   2109 10.3.198.8 NONE/200 0 CONNECT 185.63.144.5:443 -
HIER_NONE/- - DNS lookup 1  splice px.ads.linkedin.com
1581426270.219   2116 10.3.198.8 NONE/200 0 CONNECT 216.58.215.98:443 -
HIER_NONE/- - DNS lookup -  splice googleads.g.doubleclick.net
1581426271.763   7703 10.3.198.8 TCP_TUNNEL/200 443 CONNECT
static.xx.fbcdn.net:443 - ORIGINAL_DST/static.xx.fbcdn.net - DNS lookup -
splice static.xx.fbcdn.net
1581426271.763   2391 10.3.198.8 TCP_TUNNEL/200 3393 CONNECT
www.facebook.com:443 - ORIGINAL_DST/www.facebook.com - DNS lookup -  splice
www.facebook.com
1581426271.763   1544 10.3.198.8 TCP_TUNNEL/200 2891 CONNECT
googleads.g.doubleclick.net:443 - ORIGINAL_DST/googleads.g.doubleclick.net -
DNS lookup 2  splice googleads.g.doubleclick.net
1581426271.764   1551 10.3.198.8 TCP_TUNNEL/200 4093 CONNECT
px.ads.linkedin.com:443 - ORIGINAL_DST/px.ads.linkedin.com - DNS lookup -
splice px.ads.linkedin.com
1581426271.764   9268 10.3.198.8 TCP_TUNNEL/200 2012 CONNECT
www.facebook.com:443 - ORIGINAL_DST/www.facebook.com - DNS lookup 1  splice
www.facebook.com
1581426271.764   2388 10.3.198.8 TCP_TUNNEL/200 10117 CONNECT
cdn-cws-prod.azureedge.net:443 - ORIGINAL_DST/cdn-cws-prod.azureedge.net -
DNS lookup -  splice cdn-cws-prod.azureedge.net
1581426271.764   3954 10.3.198.8 TCP_TUNNEL/200 1036 CONNECT
js.hs-scripts.com:443 - ORIGINAL_DST/js.hs-scripts.com - DNS lookup 1
splice js.hs-scripts.com
1581426271.764   1558 10.3.198.8 TCP_TUNNEL/200 1816 CONNECT
www.google-analytics.com:443 - ORIGINAL_DST/www.google-analytics.com - DNS
lookup -  splice www.google-analytics.com
1581426271.764   1592 10.3.198.8 TCP_TUNNEL/200 150372 CONNECT
connect.facebook.net:443 - ORIGINAL_DST/connect.facebook.net - DNS lookup 2
splice connect.facebook.net

Squid.conf:

acl localnet src 10.3.198.0/24
 
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
 
acl manager proto cache_object
 
acl whitelist dstdomain "/etc/squid/whitelistssl"
acl blackmails dstdomain "/etc/squid/blackmailssl"
 
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
 
http_access allow whitelist
http_access deny blackmails
 
http_access allow manager localhost
http_access allow localnet
http_access allow localhost
http_access deny all
 
dns_v4_first on
dns_nameservers 10.3.198.254 10.3.102.5 10.3.100.5
 
# debug_options ALL,1 26,2 83,2
 
logfile_rotate 31
 
http_port 10.3.198.224:3128
http_port 10.3.198.224:3129 intercept
https_port 10.3.198.224:3130 intercept ssl-bump \
                                generate-host-certificates=on \
                                dynamic_cert_mem_cache_size=16MB \
                                connection-auth=off
tls-cert=/etc/squid/squidCA.pem
 
acl step1 at_step SslBump1
acl blackmailssl ssl::server_name "/etc/squid/blackmailssl"
 
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/usr/lib/squid/ssl_db -M 8MB
 
ssl_bump peek step1
ssl_bump terminate blackmailssl
ssl_bump splice all
 
cache_dir ufs /var/spool/squid 1024 16 256
maximum_object_size 1 MB
 
coredump_dir /var/spool/squid
 
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users