HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Александр Александрович Березин
Please HELP!
 
Hello dear members of the community
excuse me for disturbing me, but I could not find an answer to the question, so I speak to you, sorry again
 
i have
 
#46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic
 
# squid -v
 
Squid Cache: Version 3.5.27
Service Name: squid
Ubuntu linux
 
This binary uses OpenSSL 1.0.2n  7 Dec 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html
 
 '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'
 
 

 

in /etc/squid.conf

.......

acl test dstdomain partner.steam-api.com
 
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
 
ssl_bump peek step1 all
ssl_bump splice test
ssl_bump bump
 
 
http_port 192.168.50.1:3128 intercept
https_port 192.168.50.1:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/ssl_cert/squidCA.pem
 
 
 
when I am trying to access the site from a browser from a local network
partner.steam-api.com
 
access.log
 
[Fri Jan 25 06:50:10 2019].514      0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
[Fri Jan 25 06:50:10 2019].516      0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
[Fri Jan 25 06:50:10 2019].530      0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
[Fri Jan 25 06:50:10 2019].537      0 192.168.50.10 TAG_NONE/403 3806 GET https://partner.steam-api.com/ - HIER_NONE/- text/html
[Fri Jan 25 06:50:10 2019].568      0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
[Fri Jan 25 06:50:10 2019].576      0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -
[Fri Jan 25 06:50:10 2019].583      0 192.168.50.10 TAG_NONE/403 3806 GET http://berezin:0/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
 
in browser i have are error
 
squid error the requested url could not be retrieved
the following error was encountered while trying to retrieve the url https://208.64.202.87
 
if i add 208.64.202.87 in acl test dstdomain
everything is good and I connect to partner.steam-api.com
 
 
but the address at the end partner.steam-api.com  can be dynamic and constantly changing, so I need a connection by name
tell me what is my mistake?
 
-- 
С Уважением,
Александр Александрович Березин
 
With respect,
Alexander Alexandrovich Berezin
 
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Amos Jeffries
Administrator
On 25/01/19 9:15 pm, Александр Александрович Березин wrote:
> Please HELP!
>  
> Hello dear members of the community
> excuse me for disturbing me, but I could not find an answer to the
> question, so I speak to you, sorry again
>  
> i have
>  
...

>
> in /etc/squid.conf
>
> .......
>
> acl test dstdomain partner.steam-api.com
>  
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>  
> ssl_bump peek step1 all

NP: That 'all' has no purpose here.

> ssl_bump splice test

The ssl_bump rules when checked for intercepted traffic are run *before*
anything gets decrypted. Thus there is no HTTP(S) request to get a URL
from, so no URL domain (dstdomain).

Use ssl::server_name ACL type instead. It can match TLS SNI domain (if
any) retrieved by the step1 peek action.


> ssl_bump bump
>  
>  
> http_port 192.168.50.1:3128 intercept
> https_port 192.168.50.1:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/ssl_cert/squidCA.pem
>  
>  
>  
> when I am trying to access the site from a browser from a local network
> partner.steam-api.com
>  
> access.log
>  
> [Fri Jan 25 06:50:10 2019].514      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -

Traffic arriving is immediately being denied access into the proxy. The
other log entries and errors are resulting from that fact.

>  
> but the address at the end partner.steam-api.com  can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?

Two mistakes. First is the dstdomain vs ssl::server_name ACL types
mentioned above.

Second mistake is http_access rules deny'ing CONNECT messages generated
by Squid to represent the TCP SYN packet for SSL-Bump step1. At that
point all Squid has access to is the raw-IP:port details. SNI where the
server name is received requires the initial CONNECT to be allowed into
the proxy before the TLS inspection can begin.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HELP! Ssl_bump - acl , dstdomain , denied by fqdn need ip

Alex Rousskov
In reply to this post by Александр Александрович Березин
On 1/25/19 1:15 AM, Александр Александрович Березин wrote:

> 0 192.168.50.10 TCP_DENIED/200 0 CONNECT 208.64.202.87:443 - HIER_NONE/- -

Looks like your http_access rules deny some (or all) CONNECT requests,
probably during SslBump step1. This is not related to your ssl_bump
rules. Examine those rules and adjust them to allow CONNECT requests you
want to allow (and deny all other CONNECT requests).


> acl test dstdomain partner.steam-api.com

I doubt this causes TCP_DENIED errors, but you may want to use an
ssl::server_name ACL instead of dstdomain.


HTH,

Alex.


> [Fri Jan 25 06:50:10 2019].516      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].530      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].537      0 192.168.50.10 TAG_NONE/403 3806
> GET https://partner.steam-api.com/ - HIER_NONE/- text/html
> [Fri Jan 25 06:50:10 2019].568      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].576      0 192.168.50.10 TCP_DENIED/200 0
> CONNECT 208.64.202.87:443 - HIER_NONE/- -
> [Fri Jan 25 06:50:10 2019].583      0 192.168.50.10 TAG_NONE/403 3806
> GET http://berezin:0/squid-internal-static/icons/SN.png - HIER_NONE/-
> text/html
>  
> in browser i have are error
>  
> squid error the requested url could not be retrieved
> the following error was encountered while trying to retrieve the url
> https://208.64.202.87 <https://208.64.202.87/>
>  
> if i add 208.64.202.87 <https://208.64.202.87/> in acl test dstdomain
> everything is good and I connect to partner.steam-api.com
>  
>  
> but the address at the end partner.steam-api.com  can be dynamic and
> constantly changing, so I need a connection by name
> tell me what is my mistake?
>  
> -- 
> С Уважением,
> Александр Александрович Березин
>  
> With respect,
> Alexander Alexandrovich Berezin
>  
>  
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users