Transparent Squid issue with Appstore in MacOS Sierra

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent Squid issue with Appstore in MacOS Sierra

Hardik Dangar
Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid issue with Appstore in MacOS Sierra

Hardik Dangar
here is my squid.conf http://pastebin.com/raw/9BTcpVkL

Here is what log looks like when i grep packates from Apple Devices when app store is opened.

1486551793.635    742 192.168.1.12 TAG_NONE/200 0 CONNECT 17.110.234.27:443 - ORIGINAL_DST/17.110.234.27 -
1486551796.343  30610 192.168.1.12 TAG_NONE/200 0 CONNECT 104.113.210.17:443 - HIER_NONE/- -
1486551796.343  30605 192.168.1.12 TCP_TUNNEL/200 30574 CONNECT init.itunes.apple.com:443 - ORIGINAL_DST/104.113.210.17 -
1486551799.097  30326 192.168.1.12 TAG_NONE/200 0 CONNECT 104.113.210.17:443 - HIER_NONE/- -
1486551799.097  30324 192.168.1.12 TCP_TUNNEL/200 30584 CONNECT init.itunes.apple.com:443 - ORIGINAL_DST/104.113.210.17 -
1486551799.502    726 192.168.1.12 TAG_NONE/200 0 CONNECT 17.110.234.27:443 - ORIGINAL_DST/17.110.234.27 -
2017/02/08 16:33:19 kid1| SECURITY ALERT: Host header forgery detected on local=17.173.66.101:443 remote=192.168.1.12:53158 FD 477 flags=33 (local IP does not match any domain IP)
1486551805.013  59549 192.168.1.12 TAG_NONE/200 0 CONNECT 17.110.234.27:443 - ORIGINAL_DST/17.110.234.27 -
2017/02/08 16:33:33 kid1| SECURITY ALERT: Host header forgery detected on local=104.113.210.17:443 remote=192.168.1.12:53159 FD 659 flags=33 (local IP does not match any domain IP)
1486551826.441  57130 192.168.1.12 TAG_NONE/200 0 CONNECT 17.173.66.96:443 - HIER_NONE/- -
1486551826.441  57052 192.168.1.12 TCP_TUNNEL/200 6671 CONNECT pd-st.itunes.apple.com:443 - ORIGINAL_DST/17.173.66.96 -
1486551852.061    211 192.168.1.12 TAG_NONE/200 0 CONNECT 104.113.210.11:443 - ORIGINAL_DST/104.113.210.11 -
1486551852.434    216 192.168.1.12 TCP_MISS/200 7010 GET https://configuration.apple.com/configurations/internetservices/cloudkit/cloudkit-1.0.plist - ORIGINAL_DST/104.113.210.11 text/xml
1486551881.425    234 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551881.791    130 192.168.1.12 TCP_MISS_ABORTED/200 620 ACE https://guzzoni.apple.com/ace - ORIGINAL_DST/17.252.172.5 -
1486551882.684    207 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551882.829    348 192.168.1.12 TCP_REFRESH_MODIFIED/200 415 HEAD http://www.apple.com/ - ORIGINAL_DST/104.113.211.46 text/html
1486551882.859     68 192.168.1.12 TCP_MISS/200 101 HEAD https://guzzoni.apple.com/salt - ORIGINAL_DST/17.252.172.5 -
1486551883.004    207 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551883.083     67 192.168.1.12 TCP_MISS/406 133 HEAD https://guzzoni.apple.com/ace - ORIGINAL_DST/17.252.172.5 -
1486551884.123    202 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551884.301     81 192.168.1.12 TCP_MISS_ABORTED/200 622 ACE https://guzzoni.apple.com/ace - ORIGINAL_DST/17.252.172.5 -
1486551886.908     43 192.168.1.12 TCP_REFRESH_MODIFIED/200 415 HEAD http://www.apple.com/ - ORIGINAL_DST/104.113.211.46 text/html
1486551887.085    207 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551887.168     67 192.168.1.12 TCP_MISS/406 133 HEAD https://guzzoni.apple.com/ace - ORIGINAL_DST/17.252.172.5 -
1486551887.310    200 192.168.1.12 TAG_NONE/200 0 CONNECT 17.252.172.5:443 - ORIGINAL_DST/17.252.172.5 -
1486551887.416     68 192.168.1.12 TCP_MISS/200 101 HEAD https://guzzoni.apple.com/salt - ORIGINAL_DST/17.252.172.5 -


On Wed, Feb 8, 2017 at 12:35 AM, Hardik Dangar <[hidden email]> wrote:
Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid issue with Appstore in MacOS Sierra

Eliezer Croitoru
In reply to this post by Hardik Dangar
Can you give me\us a link to instructions how you have installed the certificate on MAC OS?
I know how to do it on Windows and Linux but not MAC OS.

Also, have you tried using peek and splice? From your email it seems you have not tried to use these.(If you need instructions I would be happy to share what I am using for windows updates and it can be adapted to appstore).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Tuesday, February 7, 2017 9:06 PM
To: Squid Users <[hidden email]>
Subject: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra

Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid issue with Appstore in MacOS Sierra

Hardik Dangar
I am using following command,

i am converting pem file into cer using openssl and then putting that file using this command into keychain.
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/mycert.cer"

On Wed, Feb 8, 2017 at 9:36 PM, Eliezer Croitoru <[hidden email]> wrote:
Can you give me\us a link to instructions how you have installed the certificate on MAC OS?
I know how to do it on Windows and Linux but not MAC OS.

Also, have you tried using peek and splice? From your email it seems you have not tried to use these.(If you need instructions I would be happy to share what I am using for windows updates and it can be adapted to appstore).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Tuesday, February 7, 2017 9:06 PM
To: Squid Users <[hidden email]>
Subject: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra

Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid issue with Appstore in MacOS Sierra

Hardik Dangar
hey eliezer,

thanks for quick response i am actually using following,

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

contents of url.nobump file are,

update\.microsoft\.com$
update\.microsoft\.com\.akadns\.net$
v10\.vortex\-win\.data\.microsoft.com$
settings\-win\.data\.microsoft\.com$
# The next are trusted SKYPE addresses
a\.config\.skype\.com$
pipe\.skype\.com$
w[0-9]+\.web\.whatsapp\.com$
tty\.scaleway\.com$
eaadhaar\.uidai\.gov\.in$
facebook\.com$
opera\.com$
itunes\.apple\.com$


Do i need to do anything additional? or are you suggesting i remove bumping completely and just use splice feature only.


On Thu, Feb 9, 2017 at 3:52 PM, Eliezer Croitoru <[hidden email]> wrote:

Thanks for sharing the details.

But you didnt answered if you tried slice with ssl bump.

Let me know if you have tried it.

 

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Wednesday, February 8, 2017 10:17 PM
To: Eliezer Croitoru <[hidden email]>
Cc: Squid Users <[hidden email]>
Subject: Re: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra

 

I am using following command,

 

i am converting pem file into cer using openssl and then putting that file using this command into keychain.

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/mycert.cer"

 

On Wed, Feb 8, 2017 at 9:36 PM, Eliezer Croitoru <[hidden email]> wrote:

Can you give me\us a link to instructions how you have installed the certificate on MAC OS?
I know how to do it on Windows and Linux but not MAC OS.

Also, have you tried using peek and splice? From your email it seems you have not tried to use these.(If you need instructions I would be happy to share what I am using for windows updates and it can be adapted to appstore).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Tuesday, February 7, 2017 9:06 PM
To: Squid Users <[hidden email]>
Subject: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra


Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid issue with Appstore in MacOS Sierra

Rafael Akchurin

Hello Hardik and all,

 

Try adding  .mzstatic.com to your exclusion from SSL bump as indicated on  https://docs.diladele.com/faq/squid/sslbump_exlusions/apple_app_store.html

Please note you need to adapt it to regex as we use it in ssl::server_name directive.

 

Best regards,

Rafael Akchurin

Diladele B.V.

 

From: squid-users [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Thursday, February 9, 2017 3:44 PM
To: Eliezer Croitoru <[hidden email]>; Squid Users <[hidden email]>
Subject: Re: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra

 

hey eliezer,

 

thanks for quick response i am actually using following,

 

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"

ssl_bump splice NoSSLIntercept

ssl_bump peek DiscoverSNIHost

ssl_bump bump all

 

contents of url.nobump file are,

 

update\.microsoft\.com$

update\.microsoft\.com\.akadns\.net$

v10\.vortex\-win\.data\.microsoft.com$

settings\-win\.data\.microsoft\.com$

# The next are trusted SKYPE addresses

a\.config\.skype\.com$

pipe\.skype\.com$

w[0-9]+\.web\.whatsapp\.com$

tty\.scaleway\.com$

eaadhaar\.uidai\.gov\.in$

facebook\.com$

opera\.com$

itunes\.apple\.com$

 

 

Do i need to do anything additional? or are you suggesting i remove bumping completely and just use splice feature only.

 

 

On Thu, Feb 9, 2017 at 3:52 PM, Eliezer Croitoru <[hidden email]> wrote:

Thanks for sharing the details.

But you didnt answered if you tried slice with ssl bump.

Let me know if you have tried it.

 

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Wednesday, February 8, 2017 10:17 PM
To: Eliezer Croitoru <[hidden email]>
Cc: Squid Users <[hidden email]>
Subject: Re: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra

 

I am using following command,

 

i am converting pem file into cer using openssl and then putting that file using this command into keychain.

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/mycert.cer"

 

On Wed, Feb 8, 2017 at 9:36 PM, Eliezer Croitoru <[hidden email]> wrote:

Can you give me\us a link to instructions how you have installed the certificate on MAC OS?
I know how to do it on Windows and Linux but not MAC OS.

Also, have you tried using peek and splice? From your email it seems you have not tried to use these.(If you need instructions I would be happy to share what I am using for windows updates and it can be adapted to appstore).

Thanks,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Hardik Dangar
Sent: Tuesday, February 7, 2017 9:06 PM
To: Squid Users <[hidden email]>
Subject: [squid-users] Transparent Squid issue with Appstore in MacOS Sierra


Hello,


Here is some information about my squid version,

Squid Cache: Version 3.5.23
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'


We are running squid as transparent proxy and have certs installed in all systems. Until recently all our systems were ubuntu or windows. Recently we added mac os Seirra and the biggest issue we had with mac is even after installing certificates. Few apps have problems.

Our biggest problem is Itunes Store. It just doesn't work for some reason. if we check the log we get random ip's trying to connect via 443 port but it doesn't connect.
Also Skype for Mac does not work. strangely this works for windows and ubuntu in our network. Again we see the same behavior.

both of these apps does not work even in Iphone and Ipad.

I believe someone must be able to configure transparent squid with Mac. can anyone tell me if i need to do anything extra for Mac setup.

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users