Setting up a transparent http and https proxy server using squid 4.6

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

Antony Stone
On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

> If I set up on a device connected to the access point a proxy manually
> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
> following rules for iptables to use in files rules.v4 :
>
> *nat
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 10.3.141.1:3128
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
> 10.3.141.1:3129
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE

Try removing the DNAT rules above.  You should be using REDIRECT for intercept
mode to work correctly.


Antony.

--
If you can smile when all about you things are going wrong, you must have
someone in mind to take the blame.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

Amos Jeffries
Administrator
On 31/12/20 10:14 pm, Antony Stone wrote:

> On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:
>
>> If I set up on a device connected to the access point a proxy manually
>> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
>> following rules for iptables to use in files rules.v4 :
>>
>> *nat
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
>> 10.3.141.1:3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
>> 10.3.141.1:3129
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
>
> Try removing the DNAT rules above.  You should be using REDIRECT for intercept
> mode to work correctly.
>

Also missing half the iptables rules needed. See the official How-To
documentation at
<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson
In reply to this post by Antony Stone

Hi,

Thank you Amos Jeffries and Antony Stone. It seems the configuration I have provides the functionality of filtering I am looking for.

There is a strange behavior I can see when accessing some legitimate sites which I see traces of in cache.log :

2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD 38: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD 35: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:40 kid1| Starting new redirector helpers...
2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)

I noticed other users of squid encountered similar issues but I did not find a clear answer to the issue. Is there a problem with my setup ? I am not sure to be able to solve it on my own ! Any help would be appreciated.

Best regards,

JF Hasson

Le 31/12/2020 à 10:14, Antony Stone a écrit :
On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
Try removing the DNAT rules above.  You should be using REDIRECT for intercept 
mode to work correctly.


Antony.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson

Hi,

After reading more information on this kind of error I captured a few transactions with Wireshark running on the raspberry pi hosting squid 4.6 and opensll 1.1.1d. I captured some transactions when trying to access ebay.fr which is currently not successful with the setup I have with the error of inappropriate fallback mentioned below.

I am not familiar with TLS transactions so I will try to present a high level view of the transactions between the raspberry pi and the ebay.fr server. I hope you can guide me as to what I should focus on to understand, if possible, the issue I have.

A bird's eye view of the transactions from Wireshark over time is :

     23 0.175795327    192.168.1.32          192.168.1.1           DNS      71     Standard query 0x057e A www.ebay.fr
     24 0.214678299    192.168.1.1           192.168.1.32          DNS      165    Standard query response 0x057e A www.ebay.fr CNAME slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166
     25 0.301067317    192.168.1.32          23.57.6.166           TCP      74     53934 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186690 TSecr=0 WS=128
     26 0.302488046    192.168.1.32          23.57.6.166           TCP      74     53936 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186691 TSecr=0 WS=128
     27 0.328959454    23.57.6.166           192.168.1.32          TCP      74     443 → 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404062 TSecr=365186690 WS=128
     28 0.329115340    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 TSecr=3470404062
     29 0.329752684    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     30 0.330530288    23.57.6.166           192.168.1.32          TCP      74     443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404064 TSecr=365186691 WS=128
     31 0.330644819    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 TSecr=3470404064
     32 0.331192579    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     35 0.351054404    192.168.1.32          192.168.1.98          TCP      54     5900 → 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0
     36 0.363323884    23.57.6.166           192.168.1.32          TCP      66     443 → 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 TSecr=365186719
     37 0.364291801    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     38 0.364347270    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186753 TSecr=3470404096
     39 0.365482999    23.57.6.166           192.168.1.32          TCP      1514   443 → 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
     40 0.365535030    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186754 TSecr=3470404096
     41 0.366217999    23.57.6.166           192.168.1.32          TCP      1266   443 → 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]
     42 0.366279041    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186755 TSecr=3470404096
     43 0.366321697    23.57.6.166           192.168.1.32          TCP      74     [TCP Retransmission] 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128
     44 0.366410135    192.168.1.32          23.57.6.166           TCP      66     [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518 Ack=1 Win=64256 Len=0 TSval=365186755 TSecr=3470404064
     45 0.366709770    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     46 0.366754978    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186756 TSecr=3470404097
     47 0.369138676    23.57.6.166           192.168.1.32          TCP      66     443 → 53936 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404102 TSecr=365186720
     48 0.370432739    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     49 0.370506906    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186759 TSecr=3470404102
     50 0.371401125    23.57.6.166           192.168.1.32          TCP      1514   443 → 53936 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
     51 0.371449250    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186760 TSecr=3470404102
     52 0.372385968    23.57.6.166           192.168.1.32          TCP      1266   443 → 53936 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404102 TSecr=365186720 [TCP segment of a reassembled PDU]
     53 0.372438156    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186761 TSecr=3470404102
     54 0.372859562    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     55 0.372905395    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186762 TSecr=3470404103
     56 0.374064614    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186763 TSecr=3470404097
     57 0.382856646    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186772 TSecr=3470404103
     58 0.387044251    192.168.1.32          23.57.6.166           TCP      74     53938 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186776 TSecr=0 WS=128
     59 0.401877325    192.168.1.32          23.57.6.166           TCP      74     53940 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186791 TSecr=0 WS=128
     60 0.402472117    23.57.6.166           192.168.1.32          TCP      66     443 → 53934 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404136 TSecr=365186763
     61 0.402574981    192.168.1.32          23.57.6.166           TCP      66     53934 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186791 TSecr=3470404136
     62 0.410122326    23.57.6.166           192.168.1.32          TCP      66     443 → 53936 [FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404143 TSecr=365186772
     63 0.410185971    192.168.1.32          23.57.6.166           TCP      66     53936 → 443 [ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186799 TSecr=3470404143
     64 0.415533941    23.57.6.166           192.168.1.32          TCP      74     443 → 53938 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404148 TSecr=365186776 WS=128
     65 0.415615607    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186804 TSecr=3470404148
     66 0.416199514    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     67 0.429629098    23.57.6.166           192.168.1.32          TCP      74     443 → 53940 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404163 TSecr=365186791 WS=128
     68 0.429722796    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186819 TSecr=3470404163
     69 0.430195036    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello
     70 0.449937225    23.57.6.166           192.168.1.32          TCP      66     443 → 53938 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404182 TSecr=365186805
     71 0.451000037    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     72 0.451064100    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186840 TSecr=3470404183
     73 0.451980194    23.57.6.166           192.168.1.32          TCP      1514   443 → 53938 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
     74 0.452031756    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186841 TSecr=3470404183
     75 0.452935767    23.57.6.166           192.168.1.32          TCP      1266   443 → 53938 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404183 TSecr=365186805 [TCP segment of a reassembled PDU]
     76 0.452991027    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186842 TSecr=3470404183
     77 0.453443475    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     78 0.453498215    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186842 TSecr=3470404184
     79 0.461625715    192.168.1.32          23.57.6.166           TCP      66     53938 → 443 [FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186850 TSecr=3470404184
     80 0.463463320    23.57.6.166           192.168.1.32          TCP      66     443 → 53940 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404196 TSecr=365186819
     81 0.464344413    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello
     82 0.464433476    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186853 TSecr=3470404197
     83 0.465538632    23.57.6.166           192.168.1.32          TCP      1514   443 → 53940 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
     84 0.465628789    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186854 TSecr=3470404197
     85 0.466298945    23.57.6.166           192.168.1.32          TCP      1266   443 → 53940 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404197 TSecr=365186819 [TCP segment of a reassembled PDU]
     86 0.466437851    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186855 TSecr=3470404197
     87 0.467042591    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done
     88 0.467190976    192.168.1.32          23.57.6.166           TCP      66     53940 → 443 [ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186856 TSecr=3470404197

I start my description with a Client Hello step from the raspberry pi to the ebay.fr server :

No.     Time           Source                Destination           Protocol Length Info
     29 0.329752684    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)

Then, there is another Client Hello step which seems quite similar to the previous one :

No.     Time           Source                Destination           Protocol Length Info
     32 0.331192579    192.168.1.32          23.57.6.166           TLSv1.2  583    Client Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)

Then a Server Hello :

No.     Time           Source                Destination           Protocol Length Info
     37 0.364291801    23.57.6.166           192.168.1.32          TLSv1.2  1514   Server Hello

...

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 78
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 74
            Version: TLS 1.2 (0x0303)

            Random: 08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
                GMT Unix Time: Oct  4, 1974 08:40:20.000000000 Paris, Madrid (heure d’été)
                Random Bytes: bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

...

So it seems the server found a common cipher with the client. I am not sure then what to look for. Frames 43 and 44 are detected by Wireshark as retransmissions but I am not sure it is a problem.

I noticed frame 45 which is about the Certificate, Certificate Status, Server Key Exchange and Server Hello Done

No.     Time           Source                Destination           Protocol Length Info
     45 0.366709770    23.57.6.166           192.168.1.32          TLSv1.2  991    Certificate, Certificate Status, Server Key Exchange, Server Hello Done

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4102
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
     ...
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Certificate Status
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 479
        Handshake Protocol: Certificate Status
            Handshake Type: Certificate Status (22)
            Length: 475
            Certificate Status Type: OCSP (1)
            OCSP Response Length: 471
            OCSP Response
...
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 333
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 329
            EC Diffie-Hellman Server Params
...
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

...

I noticed there is a mention of Diffie-Hellman which may require some attention but I am not sure.

I am sorry for all this information but I really look forward to knowing more and managing to sort this issue out. Is there anything in this information that is relevant to understanding the issue I have ? Where should I focus ?

Best regards,

JF

Le 02/01/2021 à 11:26, jean francois hasson a écrit :

Hi,

Thank you Amos Jeffries and Antony Stone. It seems the configuration I have provides the functionality of filtering I am looking for.

There is a strange behavior I can see when accessing some legitimate sites which I see traces of in cache.log :

2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD 38: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD 35: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:57:40 kid1| Starting new redirector helpers...
2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20 'squidGuard' processes
2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)
2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51: error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback (1/-1/0)
2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD 40: error:00000001:lib(0):func(0):reason(1) (1/-1)

I noticed other users of squid encountered similar issues but I did not find a clear answer to the issue. Is there a problem with my setup ? I am not sure to be able to solve it on my own ! Any help would be appreciated.

Best regards,

JF Hasson

Le 31/12/2020 à 10:14, Antony Stone a écrit :
On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
Try removing the DNAT rules above.  You should be using REDIRECT for intercept 
mode to work correctly.


Antony.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

Eliezer Croitoru-3
In reply to this post by jean francois hasson

Hey,

 

I am missing a bit of the context, like:

Did you self compiled squid? Is it from the OS repository?

Squid -v might help a bit to understand what you do have enabled in your Squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: [hidden email]
Subject: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson

Hi,

Thank you for looking at my question.

I dowloaded the squid 4.6 source code from http://ftp.debian.org/debian/pool/main/s/squid/ and selected squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and --enable-ssl-crtd.

The squid -v output is :

Squid Cache: Version 4.6
Service Name: squid
Raspbian linux

This binary uses OpenSSL 1.0.2q  20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++' '--with-build-environment=default' '--enable-build-info=Raspbian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'

When I run openssl version I get 1.1.1d.

I hope it helps.

Best regards,

JF

Le 03/01/2021 à 21:55, [hidden email] a écrit :

Hey,

 

I am missing a bit of the context, like:

Did you self compiled squid? Is it from the OS repository?

Squid -v might help a bit to understand what you do have enabled in your Squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: [hidden email]
Subject: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

Eliezer Croitoru-3

Try as test to remove:

ssl_bump terminate all

 

Ie use only the next bump rules:

### START

# TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

ssl_bump peek tls_s1_connect

ssl_bump splice all
### END

The above is from an example at ufdbguard manual.

 

Let me know if you are still having issues in full splice mode.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: jean francois hasson <[hidden email]>
Sent: Monday, January 4, 2021 8:51 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

Thank you for looking at my question.

I dowloaded the squid 4.6 source code from http://ftp.debian.org/debian/pool/main/s/squid/ and selected squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and --enable-ssl-crtd.

The squid -v output is :

Squid Cache: Version 4.6
Service Name: squid
Raspbian linux

This binary uses OpenSSL 1.0.2q  20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++' '--with-build-environment=default' '--enable-build-info=Raspbian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'

When I run openssl version I get 1.1.1d.

I hope it helps.

Best regards,

JF

Le 03/01/2021 à 21:55, [hidden email] a écrit :

Hey,

 

I am missing a bit of the context, like:

Did you self compiled squid? Is it from the OS repository?

Squid -v might help a bit to understand what you do have enabled in your Squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: [hidden email]
Subject: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson

Hi,

Doing the change below works. I can now access ebay.fr through the raspberry pi.

Best regards,

JF

Le 04/01/2021 à 13:04, [hidden email] a écrit :

Try as test to remove:

ssl_bump terminate all

 

Ie use only the next bump rules:

### START

# TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

ssl_bump peek tls_s1_connect

ssl_bump splice all
### END

The above is from an example at ufdbguard manual.

 

Let me know if you are still having issues in full splice mode.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: jean francois hasson [hidden email]
Sent: Monday, January 4, 2021 8:51 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

Thank you for looking at my question.

I dowloaded the squid 4.6 source code from http://ftp.debian.org/debian/pool/main/s/squid/ and selected squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and --enable-ssl-crtd.

The squid -v output is :

Squid Cache: Version 4.6
Service Name: squid
Raspbian linux

This binary uses OpenSSL 1.0.2q  20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++' '--with-build-environment=default' '--enable-build-info=Raspbian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'

When I run openssl version I get 1.1.1d.

I hope it helps.

Best regards,

JF

Le 03/01/2021 à 21:55, [hidden email] a écrit :

Hey,

 

I am missing a bit of the context, like:

Did you self compiled squid? Is it from the OS repository?

Squid -v might help a bit to understand what you do have enabled in your Squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: [hidden email]
Subject: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up a transparent http and https proxy server using squid 4.6

Eliezer Croitoru-3
Just take into account that it will not filter any https/ssl sites this way.
You will need to create an acl to allow only exceptions to be spliced.

Try to look at the ufdbguard manual at:
https://www.urlfilterdb.com/files/downloads/ReferenceManual.pdf

at section: 3.3.2Squid Example Configuration, SSL-Bump peek+splice

All The Bests,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: mailto:[hidden email]
Zoom: Coming soon


From: jean francois hasson <[hidden email]>
Sent: Monday, January 4, 2021 4:19 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

Hi,
Doing the change below works. I can now access ebay.fr through the raspberry pi.
Best regards,
JF
Le 04/01/2021 à 13:04, mailto:[hidden email] a écrit :
Try as test to remove:
ssl_bump terminate all
 
Ie use only the next bump rules:
### START
# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
 
ssl_bump peek tls_s1_connect
ssl_bump splice all
### END
The above is from an example at ufdbguard manual.
 
Let me know if you are still having issues in full splice mode.
 
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: mailto:[hidden email]
Zoom: Coming soon
 
 
From: jean francois hasson mailto:[hidden email]
Sent: Monday, January 4, 2021 8:51 AM
To: mailto:[hidden email]
Cc: mailto:[hidden email]
Subject: Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6
 
Hi,
Thank you for looking at my question.
I dowloaded the squid 4.6 source code from http://ftp.debian.org/debian/pool/main/s/squid/ and selected squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and --enable-ssl-crtd.
The squid -v output is :
Squid Cache: Version 4.6
Service Name: squid
Raspbian linux

This binary uses OpenSSL 1.0.2q  20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++' '--with-build-environment=default' '--enable-build-info=Raspbian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
When I run openssl version I get 1.1.1d.
I hope it helps.
Best regards,
JF
Le 03/01/2021 à 21:55, mailto:[hidden email] a écrit :
Hey,
 
I am missing a bit of the context, like:
Did you self compiled squid? Is it from the OS repository?
Squid -v might help a bit to understand what you do have enabled in your Squid.
 
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: mailto:[hidden email]
Zoom: Coming soon
 
 
From: squid-users mailto:[hidden email] On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: mailto:[hidden email]
Subject: [squid-users] Setting up a transparent http and https proxy server using squid 4.6
 
Hi,
I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.
I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.
I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :
acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy
If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.
Please let me know what might be wrong in my configuration if possible.
Best regards,
JF
 

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users