SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

Test User
Hi,
 I am trying to setup HTTPS proxy using ssl-bump. I have followed
steps mentioned in:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Following is my squid.conf file:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/squidCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \
dhparams=/etc/squid/ssl_cert/dhparam.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320


I get no errors while starting Squid. Following are the logs when Squid starts:

2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for
x86_64-pc-linux-gnu...
2017/02/23 09:59:53 kid1| Service Name: squid
2017/02/23 09:59:53 kid1| Process ID 26236
2017/02/23 09:59:53 kid1| Process Roles: worker
2017/02/23 09:59:53 kid1| With 65535 file descriptors available
2017/02/23 09:59:53 kid1| Initializing IP Cache...
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit:
idnsInit: attempt open DNS socket to: [::]
2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit:
idnsInit: attempt open DNS socket to: 0.0.0.0
2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6
2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7
2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321)
idnsAddNameserver: idnsAddNameserver: Added nameserver #0
(172.31.0.2:53)
2017/02/23 09:59:53.756 kid1| Adding domain
ap-south-1.compute.internal from /etc/resolv.conf
2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350)
idnsAddPathComponent: idnsAddPathComponent: Added domain #0:
ap-south-1.compute.internal
2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32
'ssl_crtd' processes
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got
definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for
possible 1C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for
possible Misc token
2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for
possible 2C token
2017/02/23 09:59:53.775 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize:
urlInitialize: Initializing...
2017/02/23 09:59:53.779 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
2017/02/23 09:59:53.779 kid1| Store logging disabled
2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated
20164 objects
2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008
2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets
2017/02/23 09:59:53.779 kid1| Max Mem  size: 262144 KB
2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB
2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection
2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/image.png'
2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png'
into proto='http', host='ip-172-31-25-235', port='3128',
path='/squid-internal-static/icons/silk/page_white_text.png'

****several urlParse logs like above. Removing them to shorten the
email. Further logs below...****

2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons.
2017/02/23 09:59:53.815 kid1| HTCP Disabled.
2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25
2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0
2017/02/23 09:59:53.815 kid1| Adaptation support is off.
2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket
connections at local=[::]:3128 remote=[::] FD 22 flags=9
2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped
HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41
2017/02/23 09:59:53| pinger: Initialising ICMP pinger ...
2017/02/23 09:59:53| pinger: ICMP socket opened.
2017/02/23 09:59:53| pinger: ICMPv6 socket opened
2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects



I tested this setup by providing proxy details to Firefox. Firefox was
able to show HTTP websites but when I tried to open an HTTPS website I
got following error:

2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD
7 flags=33
2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33:
(92) Protocol not available
2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD
7 flags=33

I googled this error and found this mail thread which had similar problems:
http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html

I found this link from the above thread. I modified the steps for
HTTPS from the below link:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Now my sysctl.conf is:

net.ipv4.conf.all.rp_filter=0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

My iptables -t nat -L result:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  ec2-35-154-101-8.ap-south-1.compute.amazonaws.com
anywhere             tcp dpt:https
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:https to:35.154.101.8:3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere


Once this was done, I tried to hit HTTPS website from Firefox and now
I get connection timeout error. Nothing shows in syslog, access.log or
cache.log. Could you please help me resolve this.

Thanks.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users