Squid and SSL Bumb

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid and SSL Bumb

Yoinier Hernandez Nieves
I try configure squid 3.5 on CentOS 7 with sslBump.

But I have some problems, the first:

Some HTTPs sites can access, because squid say what I am are not authenticated. And other sites, yes I can access.

I am authenticated.

Thanks.

Yoinier.

Fragment of my squid.conf.

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB# options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump all
authenticate_ip_ttl 60 seconds



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Antony Stone
On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:

> I try configure squid 3.5 on CentOS 7 with sslBump.
>
> But I have some problems, the first:
>
> Some HTTPs sites can access, because squid say what I am are not
> authenticated. And other sites, yes I can access.

Please give us information:

1. An example of sites can you access.

2. An example of sites can you not access.

3. For problems, show us error messages - quote us what the remote sites tell
you.

4. Please rephrase "squid say what I am are not authenticated" - this is not
clear - what do you mean?

> I am authenticated.

To what?  Squid, or the remote site?

How do you know you are authenticated - what confirmation do you have?

> Fragment of my squid.conf.
>
> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
> options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
> /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
> NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1
> ssl_bump bump all
> authenticate_ip_ttl 60 seconds

That looks a bit strange (and a bit incomplete) to me, but since I'm no expert
on SSL interception, I'll let someone else step in here.

If you can provide more information in the meantime (eg: enough to help
someone else replicate your problem) that would be good.


Antony.

--
Wanted: telepath.   You know where to apply.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Yoinier Hernandez Nieves
I answer interline.

El 9/01/2018, a las 4:27 p.m., Antony Stone <[hidden email]> escribió:

On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:

I try configure squid 3.5 on CentOS 7 with sslBump.

But I have some problems, the first:

Some HTTPs sites can access, because squid say what I am are not
authenticated. And other sites, yes I can access.

Please give us information:

1. An example of sites can you access.
not https

2. An example of sites can you not access.

3. For problems, show us error messages - quote us what the remote sites tell
you.

Se encontró el siguiente error al intentar recuperar la dirección URL: https://outlook.co.il/

Acceso Denegado a la Caché

Lo lamento, tu no estás autorizado a solicitar https://outlook.co.il/ de este caché hasta que te hayas autenticado.

Please contact the [hidden email] if you have difficulties authenticating yourself.


4. Please rephrase "squid say what I am are not authenticated" - this is not
clear - what do you mean?

I am authenticated.

To what?  Squid, or the remote site?
Squid, see message in Spanish for point 3.

Other error is that
Error negotiating SSL on FD 16: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

The following error was encountered while trying to retrieve the URL: https://www.kiosco.bandec.cu/*

Failed to establish a secure connection to 190.6.64.132

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /CN=CX6.bandec.cu

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.


How do you know you are authenticated - what confirmation do you have?

Fragment of my squid.conf.

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump all
authenticate_ip_ttl 60 seconds

That looks a bit strange (and a bit incomplete) to me, but since I'm no expert
on SSL interception, I'll let someone else step in here.

If you can provide more information in the meantime (eg: enough to help
someone else replicate your problem) that would be good.

I use too dansguardians before the squid proxy.

See the logs for one petition

1515534858.355   3720 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 ynieves HIER_DIRECT/64.41.200.100 -
1515534858.375      0 bbb.bbb.bbb.bbb TCP_DENIED/403 4457 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
1515534858.407      0 bbb.bbb.bbb.bbb TAG_NONE/503 4952 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html

aaa.aaa.aaa.aaa is my pc.
bbb.bbb.bbb.bbb is the dansguardians


Antony.

--
Wanted: telepath.   You know where to apply.

                                                  Please reply to the list;
                                                        please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Amos Jeffries
Administrator
On 10/01/18 10:56, Yoinier Hernandez Nieves wrote:

> I answer interline.
>
>> El 9/01/2018, a las 4:27 p.m., Antony Stone escribió:
>>
>> On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:
>>
>>> I try configure squid 3.5 on CentOS 7 with sslBump.
>>>
>>> But I have some problems, the first:
>>>
>>> Some HTTPs sites can access, because squid say what I am are not
>>> authenticated. And other sites, yes I can access.
>>
>> Please give us information:
>>
>> 1. An example of sites can you access.
> not https
>
>> 2. An example of sites can you not access.
> https://www.ssllabs.com/ssltest/viewMyClient.html
> https://outlook.co.il/
> https://www.facebook.com
>
>> 3. For problems, show us error messages - quote us what the remote
>> sites tell
>> you.
>
> Se encontró el siguiente error al intentar recuperar la dirección URL:
> https://outlook.co.il/
>
>     *Acceso Denegado a la Caché*
>
> Lo lamento, tu no estás autorizado a solicitar https://outlook.co.il/ de
> este caché hasta que te hayas autenticado.
>
> Please contact the cache administrator
> <mailto:root?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20artemisa.conalza.co.cu%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2009%20Jan%202018%2019%3A12%3A22%20GMT%0D%0A%0D%0AClientIP%3A%20172.25.100.4%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010.12%3B%20rv%3A57.0)%20Gecko%2F20100101%20Firefox%2F57.0%0D%0AAccept%3A%20text%2Fhtml,application%2Fxhtml+xml,application%2Fxml%3Bq%3D0.9,*%2F*%3Bq%3D0.8%0D%0AAccept-Language%3A%20es-ES,es%3Bq%3D0.8,en-US%3Bq%3D0.5,en%3Bq%3D0.3%0D%0AAccept-Encoding%3A%20gzip,%20deflate,%20br%0D%0AConnection%3A%20keep-alive%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0AHost%3A%20outlook.co.il%0D%0A%0D%0A%0D%0A>
> if you have difficulties authenticating yourself.
>
>>
>> 4. Please rephrase "squid say what I am are not authenticated" - this
>> is not
>> clear - what do you mean?
>>
>>> I am authenticated.
>>
>> To what?  Squid, or the remote site?
> Squid, see message in Spanish for point 3.
>

Your Squid log snippets you presented below say that the client which
delivered a CONNECT message to Squid was authenticated. Things inside
the tunnel encryption *cannot* be authenticated as separate things.
Squid associates the credentials from the CONNECT tunnel for each
request inside that tunnel.

That means that if you have any auth related config settings to the
https:// request(s) which cause those credentials to need to be
re-checked, to timeout, or any of a multitude of other situations that
normally occur with auth - then the bumped traffic in that bump'd tunnel
from that point onward cannot be serviced and you will start to have
errors. The only viable solution is to avoid authentication checks on
the decrypted / MITM'd / SSL-Bump'd traffic.



> Other error is that
> https://www.kiosco.bandec.cu/kiosco
> Error negotiating SSL on FD 16: error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
>
> The following error was encountered while trying to retrieve the URL:
> https://www.kiosco.bandec.cu/*
>
>     *Failed to establish a secure connection to 190.6.64.132*
>
> The system returned:
>
>     (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
>     /CN=CX6.bandec.cu
>
> This proxy and the remote host failed to negotiate a mutually acceptable
> security settings for handling your request. It is possible that the
> remote host does not support secure connections, or the proxy is not
> satisfied with the host security credentials.
>

Please read the above error message carefully. It explains exactly what
is going wrong, and from that you should be able to find the MANY
discussion threads that exact same error message has had in here and
elsewhere over the past few years.

Your options are to:

* configure
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
(may require a Squid-3.5 upgrade), or

* upgrade to Squid-4 which auto-downloads these things.


>>
>> How do you know you are authenticated - what confirmation do you have?
>>
>>> Fragment of my squid.conf.
>>>
>>> http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
>>> options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
>>> /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
>>> NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>>> acl step1 at_step SslBump1
>>> acl step2 at_step SslBump2
>>> acl step3 at_step SslBump3
>>> ssl_bump peek step1
>>> ssl_bump bump all
>>> authenticate_ip_ttl 60 seconds
>>
>> That looks a bit strange (and a bit incomplete) to me, but since I'm
>> no expert
>> on SSL interception, I'll let someone else step in here.


The authenticate_ip_ttl is irrelevant except that if the auth system
obeys it, the result will be all persistent connections producing errors
60 seconds after they become authenticated.


>>
>> If you can provide more information in the meantime (eg: enough to help
>> someone else replicate your problem) that would be good.
>>
> I use too dansguardians before the squid proxy.
>
> See the logs for one petition
>
> 1515534858.355   3720 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT
> www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves
> HIER_DIRECT/64.41.200.100 -
> 1515534858.375      0 bbb.bbb.bbb.bbb TCP_DENIED/403 4457 GET
> https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/-
> text/html
> 1515534858.407      0 bbb.bbb.bbb.bbb TAG_NONE/503 4952 GET
> http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png 
> ynieves HIER_DIRECT/64.41.200.100 text/html
>
> aaa.aaa.aaa.aaa is my pc.
> bbb.bbb.bbb.bbb is the dansguardians
>

This is Squid delivering that above TLS error message to the
client.Because of how browsers refuse to display errors presented by
proxies to CONNECT requests. Squid is being forced to decrypt the HTTP
message in the HTTPS tunnel and send the error page as a response to
that encrypted request.



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Yoinier Hernandez Nieves

El 10/01/2018, a las 8:47 a.m., Amos Jeffries <[hidden email]> escribió:

On 10/01/18 10:56, Yoinier Hernandez Nieves wrote:
I answer interline.
El 9/01/2018, a las 4:27 p.m., Antony Stone escribió:

On Tuesday 09 January 2018 at 21:28:37, Yoinier Hernandez Nieves wrote:

I try configure squid 3.5 on CentOS 7 with sslBump.

But I have some problems, the first:

Some HTTPs sites can access, because squid say what I am are not
authenticated. And other sites, yes I can access.

Please give us information:

1. An example of sites can you access.
not https
2. An example of sites can you not access.
https://www.ssllabs.com/ssltest/viewMyClient.html
https://outlook.co.il/
https://www.facebook.com
3. For problems, show us error messages - quote us what the remote sites tell
you.
Se encontró el siguiente error al intentar recuperar la dirección URL: https://outlook.co.il/
   *Acceso Denegado a la Caché*
Lo lamento, tu no estás autorizado a solicitar https://outlook.co.il/ de este caché hasta que te hayas autenticado.
Please contact the cache administrator <mailto:root?subject=CacheErrorInfo%20-%20ERR_CACHE_ACCESS_DENIED&body=CacheHost%3A%20artemisa.conalza.co.cu%0D%0AErrPage%3A%20ERR_CACHE_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2009%20Jan%202018%2019%3A12%3A22%20GMT%0D%0A%0D%0AClientIP%3A%20172.25.100.4%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010.12%3B%20rv%3A57.0)%20Gecko%2F20100101%20Firefox%2F57.0%0D%0AAccept%3A%20text%2Fhtml,application%2Fxhtml+xml,application%2Fxml%3Bq%3D0.9,*%2F*%3Bq%3D0.8%0D%0AAccept-Language%3A%20es-ES,es%3Bq%3D0.8,en-US%3Bq%3D0.5,en%3Bq%3D0.3%0D%0AAccept-Encoding%3A%20gzip,%20deflate,%20br%0D%0AConnection%3A%20keep-alive%0D%0AUpgrade-Insecure-Requests%3A%201%0D%0AHost%3A%20outlook.co.il%0D%0A%0D%0A%0D%0A> if you have difficulties authenticating yourself.

4. Please rephrase "squid say what I am are not authenticated" - this is not
clear - what do you mean?

I am authenticated.

To what?  Squid, or the remote site?
Squid, see message in Spanish for point 3.

Your Squid log snippets you presented below say that the client which delivered a CONNECT message to Squid was authenticated. Things inside the tunnel encryption *cannot* be authenticated as separate things. Squid associates the credentials from the CONNECT tunnel for each request inside that tunnel.

That means that if you have any auth related config settings to the https:// request(s) which cause those credentials to need to be re-checked, to timeout, or any of a multitude of other situations that normally occur with auth - then the bumped traffic in that bump'd tunnel from that point onward cannot be serviced and you will start to have errors. The only viable solution is to avoid authentication checks on the decrypted / MITM'd / SSL-Bump'd traffic.



Other error is that
https://www.kiosco.bandec.cu/kiosco
Error negotiating SSL on FD 16: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
The following error was encountered while trying to retrieve the URL: https://www.kiosco.bandec.cu/*
   *Failed to establish a secure connection to 190.6.64.132*
The system returned:
   (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
   SSL Certficate error: certificate issuer (CA) not known:
   /CN=CX6.bandec.cu
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Please read the above error message carefully. It explains exactly what is going wrong, and from that you should be able to find the MANY discussion threads that exact same error message has had in here and elsewhere over the past few years.

Your options are to:

* configure <http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/> (may require a Squid-3.5 upgrade), or

* upgrade to Squid-4 which auto-downloads these things.



How do you know you are authenticated - what confirmation do you have?

Fragment of my squid.conf.

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/ConAlza.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB#
options=NO_SSLv3 dhparams=/etc/squid/ssl_cert/dhparam.pem sslcrtd_program
/usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_options
NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump all
authenticate_ip_ttl 60 seconds

That looks a bit strange (and a bit incomplete) to me, but since I'm no expert
on SSL interception, I'll let someone else step in here.


The authenticate_ip_ttl is irrelevant except that if the auth system obeys it, the result will be all persistent connections producing errors 60 seconds after they become authenticated.



If you can provide more information in the meantime (eg: enough to help
someone else replicate your problem) that would be good.

I use too dansguardians before the squid proxy.
See the logs for one petition
1515534858.355   3720 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves HIER_DIRECT/64.41.200.100 -
1515534858.375      0 bbb.bbb.bbb.bbb TCP_DENIED/403 4457 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
1515534858.407      0 bbb.bbb.bbb.bbb TAG_NONE/503 4952 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html
aaa.aaa.aaa.aaa is my pc.
bbb.bbb.bbb.bbb is the dansguardians

This is Squid delivering that above TLS error message to the client.Because of how browsers refuse to display errors presented by proxies to CONNECT requests. Squid is being forced to decrypt the HTTP message in the HTTPS tunnel and send the error page as a response to that encrypted request.
I try connect direct to the proxy, and this is the result

1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 ynieves HIER_DIRECT/64.41.200.100 -
1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html

How I can fix this.??


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Amos Jeffries
Administrator
On 11/01/18 09:33, Yoinier Hernandez Nieves wrote:

>
> I try connect direct to the proxy, and this is the result
>
> 1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT
> www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves
> HIER_DIRECT/64.41.200.100 -
> 1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET
> https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/-
> text/html
> 1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET
> http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png 
> ynieves HIER_DIRECT/64.41.200.100 text/html
>
> How I can fix this.??


What exactly do you think needs "fixing" ?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Yoinier Hernandez Nieves

> El 11/01/2018, a las 12:46 a.m., Amos Jeffries <[hidden email]> escribió:
>
> On 11/01/18 09:33, Yoinier Hernandez Nieves wrote:
>> I try connect direct to the proxy, and this is the result
>> 1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves HIER_DIRECT/64.41.200.100 -
>> 1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
>> 1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html
>> How I can fix this.??
>
>
> What exactly do you think needs "fixing” ?

I need fix the problem with the auth failure.

Hi say:

Sorry, you are not currently allowed to request https://www.google.com/search? from this cache until you have authenticated yourself.

But I stay authenticated, see the log, user, ynieves.

Thanks

Yoinier Hernandez Nieves

>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Yoinier Hernandez Nieves
In reply to this post by Amos Jeffries

El 11/01/2018, a las 12:46 a.m., Amos Jeffries <[hidden email]> escribió:

On 11/01/18 09:33, Yoinier Hernandez Nieves wrote:
I try connect direct to the proxy, and this is the result
1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves HIER_DIRECT/64.41.200.100 -
1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html
How I can fix this.??


What exactly do you think needs "fixing” ?

1515681064.026  28086 10.22.1.40 TCP_MISS/200 41681 GET http://media2.coltiendas.com/img/p/7/6/2/2/7622-home_default.jpg ynieves HIER_DIRECT/67.205.111.16 image/jpeg
1515681064.026  28087 10.22.1.40 TCP_MISS/200 50331 GET http://media2.coltiendas.com/img/p/7/5/9/8/7598-home_default.jpg ynieves HIER_DIRECT/67.205.111.16 image/jpeg
1515681066.950  29978 10.22.1.40 TCP_MISS/200 57206 GET http://www.coltiendas.com/themes/default-bootstrap/fonts/fontawesome-webfont.woff2? ynieves HIER_DIRECT/192.155.83.60 -
1515681106.482   1247 10.22.1.40 TAG_NONE/200 0 CONNECT www.ssllabs.com:443 ynieves HIER_DIRECT/64.41.200.100 -
1515681106.497      0 10.22.1.40 TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
1515681106.539      0 10.22.1.40 TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html

See, first an access http correctly, after the denied petitions to ssllabs.com, all with the user authenticated. 



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Amos Jeffries
Administrator
In reply to this post by Yoinier Hernandez Nieves
On 12/01/18 03:24, Yoinier Hernandez Nieves wrote:

>
>> El 11/01/2018, a las 12:46 a.m., Amos Jeffries escribió:
>>
>> On 11/01/18 09:33, Yoinier Hernandez Nieves wrote:
>>> I try connect direct to the proxy, and this is the result
>>> 1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves HIER_DIRECT/64.41.200.100 -
>>> 1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
>>> 1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html
>>> How I can fix this.??
>>
>>
>> What exactly do you think needs "fixing” ?
>
> I need fix the problem with the auth failure.
>
> Hi say:
>
> Sorry, you are not currently allowed to request https://www.google.com/search? from this cache until you have authenticated yourself.
>
> But I stay authenticated, see the log, user, ynieves.
>

Then something in your squid.conf is forbidding username ynieves access
to use the proxy and defining that other username might be allowed. But
it provides that info far too late to re-authenticate the already
finished CONNECT message with usable credentials.

Please post *all* of your squid.conf settings so we can look in places
you might not have expected to find auth relationships. Just exclude
empty lines and # comments.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Yoinier Hernandez Nieves

The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"

Thanks.

Yoinier Hernandez Nieves.

> El 11/01/2018, a las 10:47 a.m., Amos Jeffries <[hidden email]> escribió:
>
> On 12/01/18 03:24, Yoinier Hernandez Nieves wrote:
>>> El 11/01/2018, a las 12:46 a.m., Amos Jeffries escribió:
>>>
>>> On 11/01/18 09:33, Yoinier Hernandez Nieves wrote:
>>>> I try connect direct to the proxy, and this is the result
>>>> 1515616366.189   1359 aaa.aaa.aaa.aaa TAG_NONE/200 0 CONNECT www.ssllabs.com:443 <http://www.ssllabs.com:443> ynieves HIER_DIRECT/64.41.200.100 -
>>>> 1515616366.207      0 aaa.aaa.aaa.aaa TCP_DENIED/403 4419 GET https://www.ssllabs.com/ssltest/viewMyClient.html ynieves HIER_NONE/- text/html
>>>> 1515616366.244      0 aaa.aaa.aaa.aaa TAG_NONE/503 4914 GET http://artemisa.conalza.co.cu:3128/squid-internal-static/icons/SN.png ynieves HIER_DIRECT/64.41.200.100 text/html
>>>> How I can fix this.??
>>>
>>>
>>> What exactly do you think needs "fixing” ?
>> I need fix the problem with the auth failure.
>> Hi say:
>> Sorry, you are not currently allowed to request https://www.google.com/search? from this cache until you have authenticated yourself.
>> But I stay authenticated, see the log, user, ynieves.
>
> Then something in your squid.conf is forbidding username ynieves access to use the proxy and defining that other username might be allowed. But it provides that info far too late to re-authenticate the already finished CONNECT message with usable credentials.
>
> Please post *all* of your squid.conf settings so we can look in places you might not have expected to find auth relationships. Just exclude empty lines and # comments.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid.conf (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSL Bump

Amos Jeffries
Administrator
On 13/01/18 02:00, Yoinier Hernandez Nieves wrote:
>
> The user ynieves is member of ad groups “internet”, “socialNetwork”, “youtube” and “moderadoresSocNet"
>

So most of your http_access lines end with group checks. That could be a
problem later. Right now its not clear which would be rejecting with
that auth message, and the status being 403 indicates a hard failure
rather than re-auth.


I suggest doing the usual thing of placing a single "http_access deny
!users" line first, then appending " all" to the lines that normally end
with a group check.

Like:

   http_access deny !users

   http_access allow cubaDomains cubaPC all
   http_access allow cubaDomains national all
   http_access allow cubaDomains internet all
   http_access deny SQUISHED1 all

   http_access allow socialDomains moderadoresSocNet all
   http_access allow socialTime socialDomains socialNetwork all
   http_access allow socialTime youtubeDomains youtuber all


For the delay pools there is no need to re-authenticate at all. Use the
"note" ACL type to check that a username exists. Like so:

   acl loggedIn note user .

   delay_access 2 allow loggedIn workTime \
     !extDownloads !extDocuments !delaysFree


Also, the pool using only "-1/-1" as its paremeters should be removed.
Squid links multiple pools to a transaction, so it is not doing what you
think it does. To make certain transactions unlimited simply deny them
being added to the other pools. That will also make your existing rules
much simpler:

   denya_access 2 deny delaysFree
   delay_access 2 allow loggedIn workTime !extDownloads !extDocuments !
   delay_access 2 deny all


Also, your media and mediapr checks are slow regex tests. They should be
placed after the default security checks.


If the problem remains after all the above changes are made you will
need to track down what is generating the error page using cache.log
trace with "debug_options ALL,5".

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users