Trusted CA Certificate with ssl_bump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Trusted CA Certificate with ssl_bump

Sergio Belkin-3
Hi,

When using something like that:

http_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private


Is possible to use a certificate generated by a trusted CA?


Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Yuri Voinov



15.11.2016 20:22, Sergio Belkin пишет:
Hi,

When using something like that:

http_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private


Is possible to use a certificate generated by a trusted CA?
No.

In theory, if you can to force trusted CA to issue subordinate intermediate CA personally to you - yes, it possible. But to force trusted CA to issue subordinate CA personally to you is not possible due to trusted CA's CPS. To do this you should be trusted CA youself. I.e.: Pass audit, has PKI infrastructure, has much money and blah-blah-blah.

So, you can't do SSL bump without users notification.


Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Cats - delicious. You just do not know how to cook them.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2
In reply to this post by Sergio Belkin-3
On 15/11/16 14:22, Sergio Belkin wrote:
Hi,

When using something like that:

http_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private


Is possible to use a certificate generated by a trusted CA?


Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

If you mean a normal commercial CA, then no, because you would need the CA's signing key, which I very much doubt they would give you, and your cert would need to have signing capability, which it won't.

Cheers

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2
In reply to this post by Yuri Voinov


On 15/11/16 14:28, Yuri Voinov wrote:
>
>
> So, you can't do SSL bump without users notification.

You can if you have control over the clients, ie install your CA into
the browser/OS.

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Yuri Voinov


15.11.2016 20:43, Alex Crow пишет:
>
>
> On 15/11/16 14:28, Yuri Voinov wrote:
>>
>>
>> So, you can't do SSL bump without users notification.
>
> You can if you have control over the clients, ie install your CA into
> the browser/OS.
... and this can be illegal ;)

>
> Alex
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must
> not
> be used as a substitute for obtaining tax, regulatory, investment,
> legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
> 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Cats - delicious. You just do not know how to cook them.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2
On 15/11/16 16:22, Yuri Voinov wrote:
>
>> You can if you have control over the clients, ie install your CA into
>> the browser/OS.
> ... and this can be illegal ;)
>

YMMV (depending on where you live/work)!
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Yuri Voinov


15.11.2016 22:28, Alex Crow пишет:
> On 15/11/16 16:22, Yuri Voinov wrote:
>>
>>> You can if you have control over the clients, ie install your CA into
>>> the browser/OS.
>> ... and this can be illegal ;)
>>
>
> YMMV (depending on where you live/work)!
AFAIK Spying for users without they agreement illegal anywhere.

> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must
> not
> be used as a substitute for obtaining tax, regulatory, investment,
> legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
> 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Cats - delicious. You just do not know how to cook them.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla

Hi,

I have same problem, and I need to use trusted CA certificates, so what is the solution?

I have a squid 3.5.20 used for multiple domains, multiple backends, using both HTTP and HTTPS.

Actually, the HTTP configuration is OK, the backends are OK with HTTPS, trusted certificates, verified with wget https://.....

acls rules are OK, sending each request according to the domain to the right backend.

I need to add trusted certificates for some domains. I found that I could do that using http_port XXX.XXX.XXX.XXX:443 where I have different IPs, each by certicate.

But I must say that I am really lost in all options,  I have googled for days, I tried a lot of settings ssl_bump, intercept, self-signed certificates, Trusted certificates,...., I saw differences between old versions and 3.5, and I can't make any working..

So questions:

1/ Should I set up the squid certificate with ONLY self-signed, or there is a way to use Trusted certificates? So if only self-signed, the user will be always forced to accept the self-signed certificate on first time? not really good for commercial sites.

2/ Should the backend cache_peer set as ssl on port 443, or could it be simple http 80 (backends are internal VMs onto the same server, no external network between squid and backends)?

3/ Will the acls rules work OK to affect each request to the right backend according to domain, even in HTTPS?

4/ Do you know some clear and easy howto, examples, for such settings, from where I could get how to do?

Thanks for help
Patrick

Le 15/11/2016 à 18:30, Yuri Voinov a écrit :

15.11.2016 22:28, Alex Crow пишет:
On 15/11/16 16:22, Yuri Voinov wrote:

          
You can if you have control over the clients, ie install your CA into
the browser/OS.
... and this can be illegal ;)

YMMV (depending on where you live/work)!
AFAIK Spying for users without they agreement illegal anywhere.
-- 
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute
advice.
The information provided is correct to our knowledge & belief and must
not
be used as a substitute for obtaining tax, regulatory, investment,
legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020)
7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

      

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2
In reply to this post by Yuri Voinov
That's why you gain their consent when they sign their employment contract.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2
In reply to this post by Patrick Chemla
I'm not sure what you are trying to do. It sounds like you're running a reverse proxy, which has nothing to do with SSL bump or peek/splice.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Amos Jeffries
Administrator
In reply to this post by Patrick Chemla
On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
> Hi,
>
> I have same problem, and I need to use trusted CA certificates, so what
> is the solution?

Not to do illegal bad things that violate your contract with the CA.

Any CA which lets you intercept traffic by generating sub-certificates
with their root *will* be blacklisted and effectively "thrown off the
Internet". It has happened already for several CA who thought that was
an idle threat.

>
> I have a squid 3.5.20 used for multiple domains, multiple backends,
> using both HTTP and HTTPS.

As Alex said, what you describe here sounds a lot more like
reverse-proxy than interception.

Sergey who started this thread was intercepting HTTPS traffic sent by
clients to an explicit proxy. All answers so far have been about that
topic, which is probably *not* what you are facing.

The configurations and limitations are very different. So first thing to
do is be clear about what actually you are trying to do.


> So questions:
>
> 1/ Should I set up the squid certificate with ONLY self-signed, or there
> is a way to use Trusted certificates? So if only self-signed, the user
> will be always forced to accept the self-signed certificate on first
> time? not really good for commercial sites.
>

Are you the owner of the website(s) or an authorized CDN/Hosting
provider for them ?


> 2/ Should the backend cache_peer set as ssl on port 443, or could it be
> simple http 80 (backends are internal VMs onto the same server, no
> external network between squid and backends)?
>

That depends on your answer to the above.

> 3/ Will the acls rules work OK to affect each request to the right
> backend according to domain, even in HTTPS?
>

Yes. But the detail may not be what you expect. It depends on the above
answers.

> 4/ Do you know some clear and easy howto, examples, for such settings,
> from where I could get how to do?
>

<http://wiki.squid-cache.org/ConfigExamples/> contains all of the
configurations you might need. But which one(s) are correct for you
depends on what you are actually needing to do.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla
Thanks for your answers, I am not doing anything illegal, I am trying to
build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some
websites, and squid help me to send the traffic to the destination
website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of
VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I
need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never
succeed because of so many options, and this question: Does the traffic
between squid and the backend should be SSL? If yes, it's OK for me.
nothing illegal.

The second question: How to set up the SSL link on squid getting the SSL
request and sending to the backend. Actually the backend can handle SSL
traffic, it's OK for me if I find the way to make squid handle the
traffic, according to the acls. squid must decrypt the request, compute
the acls, then re-crypt to send to the backend.

The reason I asked not to reencrypt is because of performances. All this
is on the same server, from the host to the VMs and decrypt, the
reencrypt, then decrypt will be ressources consumming. But I can do it
like that.

Now, do you have any Howto, clear, that will help? I found many on
Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the
websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help

Patrick



Le 16/11/2016 à 14:27, Amos Jeffries a écrit :

> On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
>> Hi,
>>
>> I have same problem, and I need to use trusted CA certificates, so what
>> is the solution?
> Not to do illegal bad things that violate your contract with the CA.
>
> Any CA which lets you intercept traffic by generating sub-certificates
> with their root *will* be blacklisted and effectively "thrown off the
> Internet". It has happened already for several CA who thought that was
> an idle threat.
>
>> I have a squid 3.5.20 used for multiple domains, multiple backends,
>> using both HTTP and HTTPS.
> As Alex said, what you describe here sounds a lot more like
> reverse-proxy than interception.
>
> Sergey who started this thread was intercepting HTTPS traffic sent by
> clients to an explicit proxy. All answers so far have been about that
> topic, which is probably *not* what you are facing.
>
> The configurations and limitations are very different. So first thing to
> do is be clear about what actually you are trying to do.
>
>
>> So questions:
>>
>> 1/ Should I set up the squid certificate with ONLY self-signed, or there
>> is a way to use Trusted certificates? So if only self-signed, the user
>> will be always forced to accept the self-signed certificate on first
>> time? not really good for commercial sites.
>>
> Are you the owner of the website(s) or an authorized CDN/Hosting
> provider for them ?
>
>
>> 2/ Should the backend cache_peer set as ssl on port 443, or could it be
>> simple http 80 (backends are internal VMs onto the same server, no
>> external network between squid and backends)?
>>
> That depends on your answer to the above.
>
>> 3/ Will the acls rules work OK to affect each request to the right
>> backend according to domain, even in HTTPS?
>>
> Yes. But the detail may not be what you expect. It depends on the above
> answers.
>
>> 4/ Do you know some clear and easy howto, examples, for such settings,
>> from where I could get how to do?
>>
> <http://wiki.squid-cache.org/ConfigExamples/> contains all of the
> configurations you might need. But which one(s) are correct for you
> depends on what you are actually needing to do.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow


On 16/11/16 17:33, Patrick Chemla wrote:

> Thanks for your answers, I am not doing anything illegal, I am trying to
> build a performant platform.
>
> I have a big server running about 10 different websites.
>
> I have on this server virtual machines, each specialized for one-some
> websites, and squid help me to send the traffic to the destination
> website on the internal VM according to the URL.
>
> Some VMs are paired, so squid will loadbalance the traffic on group of
> VMs according to the URL/acls.
>
> All this works in HTTP, thanks to Amos advices few weeks ago.
>
> Now, I need to set SSL traffic, and because the domains are different I
> need to use different IPs:443 to be able to use different certificates.
>
> I tried many times in the past to make squid working in SSL and never
> succeed because of so many options, and this question: Does the traffic
> between squid and the backend should be SSL? If yes, it's OK for me.
> nothing illegal.
>
> The second question: How to set up the SSL link on squid getting the SSL
> request and sending to the backend. Actually the backend can handle SSL
> traffic, it's OK for me if I find the way to make squid handle the
> traffic, according to the acls. squid must decrypt the request, compute
> the acls, then re-crypt to send to the backend.
>
> The reason I asked not to reencrypt is because of performances. All this
> is on the same server, from the host to the VMs and decrypt, the
> reencrypt, then decrypt will be ressources consumming. But I can do it
> like that.
>
> Now, do you have any Howto, clear, that will help? I found many on
> Google and not any gave me the solution working.
>
> The other question is about Trusted Certificates. We have on the
> websites trusted certificates. Should we use the same on the squid?
>
> Thanks for appeciate help
>
> Patrick
>
>

You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and
set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:

http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla
Many Thanks Alex. I will try in the next hours and let you if I am
successful.

Patrick


Le 16/11/2016 à 20:04, Alex Crow a écrit :

>
> On 16/11/16 17:33, Patrick Chemla wrote:
>> Thanks for your answers, I am not doing anything illegal, I am trying to
>> build a performant platform.
>>
>> I have a big server running about 10 different websites.
>>
>> I have on this server virtual machines, each specialized for one-some
>> websites, and squid help me to send the traffic to the destination
>> website on the internal VM according to the URL.
>>
>> Some VMs are paired, so squid will loadbalance the traffic on group of
>> VMs according to the URL/acls.
>>
>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>
>> Now, I need to set SSL traffic, and because the domains are different I
>> need to use different IPs:443 to be able to use different certificates.
>>
>> I tried many times in the past to make squid working in SSL and never
>> succeed because of so many options, and this question: Does the traffic
>> between squid and the backend should be SSL? If yes, it's OK for me.
>> nothing illegal.
>>
>> The second question: How to set up the SSL link on squid getting the SSL
>> request and sending to the backend. Actually the backend can handle SSL
>> traffic, it's OK for me if I find the way to make squid handle the
>> traffic, according to the acls. squid must decrypt the request, compute
>> the acls, then re-crypt to send to the backend.
>>
>> The reason I asked not to reencrypt is because of performances. All this
>> is on the same server, from the host to the VMs and decrypt, the
>> reencrypt, then decrypt will be ressources consumming. But I can do it
>> like that.
>>
>> Now, do you have any Howto, clear, that will help? I found many on
>> Google and not any gave me the solution working.
>>
>> The other question is about Trusted Certificates. We have on the
>> websites trusted certificates. Should we use the same on the squid?
>>
>> Thanks for appeciate help
>>
>> Patrick
>>
>>
> You are using a reverse proxy/web accelerator setup. Nothing you do
> there will be illegal if you're using it for your own servers! You
> should be able to use HTTP to the backend and just offer HTTPS from
> squid. This will avoid loading the backend with encryption cycles. You
> don't need any certificate generation as AFAIK you already have all the
> certs you need.
>
> See:
>
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>
> for starters. You can adapt the wildcard example; if you have specific
> certs for each domain, just listen on a different IP for each domain and
> set up multiple https_port with a different listening IP for each site.
> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>
> Here's a couple more:
>
> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy
>
> (I found the above with a simple google for "squid reverse ssl proxy".
> Google is your friend here... )
>
> http://www.squid-cache.org/Doc/config/https_port/
>
> That's as far as my knowledge goes on reverse in Squid, at my site we
> use nginx.But AFAIK if you're doing what I think you're doing that
> should be enough. Squid does have a lot of config parameters, but then
> so does any other fully capable proxy server. Just focus on the parts
> you need for your role and it will be much easier. Specifically ignore
> bump/peek+splice, it's just for forward proxy.
>
> Alex
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla
Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

======================================
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key

cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
name=SEMP1
cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS
sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
name=SEMP2

acl w3_semplixxxx dstdomain .semplixxxx.com
cache_peer_access SEMP1 allow w3_semplixxxx
cache_peer_access SEMP1 deny all

http_access allow w3_semplixxxx

=====================================

$ wget https://www.semplixxxx.com
--2016-11-17 19:34:49--  https://www.semplixxxx.com/
Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com
(www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Same error with the browser
=========================================
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE
error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE

===========================================
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup:
id=0xf55ca8ed404 query ARP table
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup:
id=0xf55ca8ed404 query ARP on each interface (480 found)
2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface lo
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:1
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:2
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:4
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:5
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:6
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:7
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth2:8
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
id=0xf55ca8ed404 found interface virbr0
2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup:
id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583)
clientProcessRequest: clientProcessRequest: Invalid Request
2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong:
local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck:
0x78737acd23c0 checking fast ACLs
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
access_log daemon:/var/log/squid/access.log
2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
(access_log daemon:/var/log/squid/access.log line)
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
(access_log daemon:/var/log/squid/access.log line) = 1
2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
access_log daemon:/var/log/squid/access.log = 1
2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished:
0x78737acd23c0 answer ALLOWED for match
2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520

Thanks for help
Patrick

Le 16/11/2016 à 20:16, Patrick Chemla a écrit :

> Many Thanks Alex. I will try in the next hours and let you if I am
> successful.
>
> Patrick
>
>
> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>
>> On 16/11/16 17:33, Patrick Chemla wrote:
>>> Thanks for your answers, I am not doing anything illegal, I am
>>> trying to
>>> build a performant platform.
>>>
>>> I have a big server running about 10 different websites.
>>>
>>> I have on this server virtual machines, each specialized for one-some
>>> websites, and squid help me to send the traffic to the destination
>>> website on the internal VM according to the URL.
>>>
>>> Some VMs are paired, so squid will loadbalance the traffic on group of
>>> VMs according to the URL/acls.
>>>
>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>
>>> Now, I need to set SSL traffic, and because the domains are different I
>>> need to use different IPs:443 to be able to use different certificates.
>>>
>>> I tried many times in the past to make squid working in SSL and never
>>> succeed because of so many options, and this question: Does the traffic
>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>> nothing illegal.
>>>
>>> The second question: How to set up the SSL link on squid getting the
>>> SSL
>>> request and sending to the backend. Actually the backend can handle SSL
>>> traffic, it's OK for me if I find the way to make squid handle the
>>> traffic, according to the acls. squid must decrypt the request, compute
>>> the acls, then re-crypt to send to the backend.
>>>
>>> The reason I asked not to reencrypt is because of performances. All
>>> this
>>> is on the same server, from the host to the VMs and decrypt, the
>>> reencrypt, then decrypt will be ressources consumming. But I can do it
>>> like that.
>>>
>>> Now, do you have any Howto, clear, that will help? I found many on
>>> Google and not any gave me the solution working.
>>>
>>> The other question is about Trusted Certificates. We have on the
>>> websites trusted certificates. Should we use the same on the squid?
>>>
>>> Thanks for appeciate help
>>>
>>> Patrick
>>>
>>>
>> You are using a reverse proxy/web accelerator setup. Nothing you do
>> there will be illegal if you're using it for your own servers! You
>> should be able to use HTTP to the backend and just offer HTTPS from
>> squid. This will avoid loading the backend with encryption cycles. You
>> don't need any certificate generation as AFAIK you already have all the
>> certs you need.
>>
>> See:
>>
>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>
>> for starters. You can adapt the wildcard example; if you have specific
>> certs for each domain, just listen on a different IP for each domain and
>> set up multiple https_port with a different listening IP for each site.
>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>
>> Here's a couple more:
>>
>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 
>>
>>
>> (I found the above with a simple google for "squid reverse ssl proxy".
>> Google is your friend here... )
>>
>> http://www.squid-cache.org/Doc/config/https_port/
>>
>> That's as far as my knowledge goes on reverse in Squid, at my site we
>> use nginx.But AFAIK if you're doing what I think you're doing that
>> should be enough. Squid does have a lot of config parameters, but then
>> so does any other fully capable proxy server. Just focus on the parts
>> you need for your role and it will be much easier. Specifically ignore
>> bump/peek+splice, it's just for forward proxy.
>>
>> Alex
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla

Hi Alex, sorry for disturbing, but it works with

https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key

Many, many, many Thanks for valuable help.

Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :

> Hi Alex,
>
> I followed the
>
> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>
> I am getting errors when trying to connect. What could it be?
>
> This is the config: Is there something bad there?
>
> ======================================
> debug_options   ALL,1  33,2 28,9
>
> http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
> cert=/etc/squid/ssl/semplixxxx.com.crt
> key=/etc/squid/ssl/semplixxxx.com.key
>
> cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS
> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
> name=SEMP1
> cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS
> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
> name=SEMP2
>
> acl w3_semplixxxx dstdomain .semplixxxx.com
> cache_peer_access SEMP1 allow w3_semplixxxx
> cache_peer_access SEMP1 deny all
>
> http_access allow w3_semplixxxx
>
> =====================================
>
> $ wget https://www.semplixxxx.com
> --2016-11-17 19:34:49--  https://www.semplixxxx.com/
> Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
> Connexion à www.semplitech.com
> (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
> Incapable d'établir une connexion SSL.
>
> Same error with the browser
> =========================================
> THis is what I have in access_log file:
> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE
> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE
> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>
> ===========================================
> This is what I have in cache.log:
> 2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
> 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup:
> id=0xf55ca8ed404 query ARP table
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup:
> id=0xf55ca8ed404 query ARP on each interface (480 found)
> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface lo
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:1
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:2
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:4
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:5
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:6
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:7
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth2:8
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface eth3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
> id=0xf55ca8ed404 found interface virbr0
> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
> 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup:
> id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
> 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
> 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583)
> clientProcessRequest: clientProcessRequest: Invalid Request
> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong:
> local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck:
> 0x78737acd23c0 checking fast ACLs
> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
> access_log daemon:/var/log/squid/access.log
> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
> (access_log daemon:/var/log/squid/access.log line)
> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
> (access_log daemon:/var/log/squid/access.log line) = 1
> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
> access_log daemon:/var/log/squid/access.log = 1
> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished:
> 0x78737acd23c0 answer ALLOWED for match
> 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
> 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
> 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
> 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>
> Thanks for help
> Patrick
>
> Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
>> Many Thanks Alex. I will try in the next hours and let you if I am
>> successful.
>>
>> Patrick
>>
>>
>> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>>
>>> On 16/11/16 17:33, Patrick Chemla wrote:
>>>> Thanks for your answers, I am not doing anything illegal, I am
>>>> trying to
>>>> build a performant platform.
>>>>
>>>> I have a big server running about 10 different websites.
>>>>
>>>> I have on this server virtual machines, each specialized for one-some
>>>> websites, and squid help me to send the traffic to the destination
>>>> website on the internal VM according to the URL.
>>>>
>>>> Some VMs are paired, so squid will loadbalance the traffic on group of
>>>> VMs according to the URL/acls.
>>>>
>>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>>
>>>> Now, I need to set SSL traffic, and because the domains are
>>>> different I
>>>> need to use different IPs:443 to be able to use different
>>>> certificates.
>>>>
>>>> I tried many times in the past to make squid working in SSL and never
>>>> succeed because of so many options, and this question: Does the
>>>> traffic
>>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>>> nothing illegal.
>>>>
>>>> The second question: How to set up the SSL link on squid getting
>>>> the SSL
>>>> request and sending to the backend. Actually the backend can handle
>>>> SSL
>>>> traffic, it's OK for me if I find the way to make squid handle the
>>>> traffic, according to the acls. squid must decrypt the request,
>>>> compute
>>>> the acls, then re-crypt to send to the backend.
>>>>
>>>> The reason I asked not to reencrypt is because of performances. All
>>>> this
>>>> is on the same server, from the host to the VMs and decrypt, the
>>>> reencrypt, then decrypt will be ressources consumming. But I can do it
>>>> like that.
>>>>
>>>> Now, do you have any Howto, clear, that will help? I found many on
>>>> Google and not any gave me the solution working.
>>>>
>>>> The other question is about Trusted Certificates. We have on the
>>>> websites trusted certificates. Should we use the same on the squid?
>>>>
>>>> Thanks for appeciate help
>>>>
>>>> Patrick
>>>>
>>>>
>>> You are using a reverse proxy/web accelerator setup. Nothing you do
>>> there will be illegal if you're using it for your own servers! You
>>> should be able to use HTTP to the backend and just offer HTTPS from
>>> squid. This will avoid loading the backend with encryption cycles. You
>>> don't need any certificate generation as AFAIK you already have all the
>>> certs you need.
>>>
>>> See:
>>>
>>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>>
>>> for starters. You can adapt the wildcard example; if you have specific
>>> certs for each domain, just listen on a different IP for each domain
>>> and
>>> set up multiple https_port with a different listening IP for each site.
>>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>>
>>> Here's a couple more:
>>>
>>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 
>>>
>>>
>>> (I found the above with a simple google for "squid reverse ssl proxy".
>>> Google is your friend here... )
>>>
>>> http://www.squid-cache.org/Doc/config/https_port/
>>>
>>> That's as far as my knowledge goes on reverse in Squid, at my site we
>>> use nginx.But AFAIK if you're doing what I think you're doing that
>>> should be enough. Squid does have a lot of config parameters, but then
>>> so does any other fully capable proxy server. Just focus on the parts
>>> you need for your role and it will be much easier. Specifically ignore
>>> bump/peek+splice, it's just for forward proxy.
>>>
>>> Alex
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Alex Crow-2


On 17/11/16 18:11, Patrick Chemla wrote:

>
> Hi Alex, sorry for disturbing, but it works with
>
> https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
> cert=/etc/squid/ssl/semplixxxx.com.crt
> key=/etc/squid/ssl/semplixxxx.com.key
>
> Many, many, many Thanks for valuable help.
>
> Patrick

No problem.

I think we all tend to overthink things until we've got used to them.
Glad you got it sorted.

Alex



--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Patrick Chemla
In reply to this post by Patrick Chemla
Hi Alex, and all others

No I have set it for multiple domains, and it works really fine. Again
many thanks.

But I have a new demand:

Within one of the sites, where squid handles the https connexion then
communicate with internal VM through http, there is one (at least, maybe
we will find others), I don't kmow why, but the dev want them http only.

When I come to the menu to this page, the app returns a http:// link to
squid. Squid encrypts and send a https:// to the browser., but then when
the user hit the link, somme of the components of the page should stay
http://, and there the browser detects a https page with http components
embeded, and block them.

Is there a way to tell squid to let http some link?

My domain is domain.tld:

the browser ask for https://domain.tld

squid decrypt, recognize this domain, according to acl goes to the VM1,
in http:// mode, not crypted.

The site on VM1, return a page in http:// mode, with all links as http
too,  and squid send it back crypted to the browser with all links
embeded in https://

I want a special link on the page http://domain.tld/special/ to stay http.

How I can instruct squid to leave it as it is, but all others?

Thanks

Patrick


Le 17/11/2016 à 20:11, Patrick Chemla a écrit :

>
> Hi Alex, sorry for disturbing, but it works with
>
> https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
> cert=/etc/squid/ssl/semplixxxx.com.crt
> key=/etc/squid/ssl/semplixxxx.com.key
>
> Many, many, many Thanks for valuable help.
>
> Patrick
> Le 17/11/2016 à 19:48, Patrick Chemla a écrit :
>> Hi Alex,
>>
>> I followed the
>>
>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>
>> I am getting errors when trying to connect. What could it be?
>>
>> This is the config: Is there something bad there?
>>
>> ======================================
>> debug_options   ALL,1  33,2 28,9
>>
>> http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com
>> cert=/etc/squid/ssl/semplixxxx.com.crt
>> key=/etc/squid/ssl/semplixxxx.com.key
>>
>> cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS
>> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
>> name=SEMP1
>> cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS
>> sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5
>> name=SEMP2
>>
>> acl w3_semplixxxx dstdomain .semplixxxx.com
>> cache_peer_access SEMP1 allow w3_semplixxxx
>> cache_peer_access SEMP1 deny all
>>
>> http_access allow w3_semplixxxx
>>
>> =====================================
>>
>> $ wget https://www.semplixxxx.com
>> --2016-11-17 19:34:49--  https://www.semplixxxx.com/
>> Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
>> Connexion à www.semplitech.com
>> (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté.
>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>> Incapable d'établir une connexion SSL.
>>
>> Same error with the browser
>> =========================================
>> THis is what I have in access_log file:
>> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE
>> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>> - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE
>> error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE
>>
>> ===========================================
>> This is what I have in cache.log:
>> 2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
>> 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup:
>> id=0xf55ca8ed404 query ARP table
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup:
>> id=0xf55ca8ed404 query ARP on each interface (480 found)
>> 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface lo
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:1
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:2
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:4
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:5
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:6
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:7
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth2:8
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface eth3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup:
>> id=0xf55ca8ed404 found interface virbr0
>> 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup:
>> id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0
>> 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup:
>> id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found
>> 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660
>> 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660
>> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583)
>> clientProcessRequest: clientProcessRequest: Invalid Request
>> 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong:
>> local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck:
>> 0x78737acd23c0 checking fast ACLs
>> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
>> access_log daemon:/var/log/squid/access.log
>> 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking
>> (access_log daemon:/var/log/squid/access.log line)
>> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
>> (access_log daemon:/var/log/squid/access.log line) = 1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked:
>> access_log daemon:/var/log/squid/access.log = 1
>> 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished:
>> 0x78737acd23c0 answer ALLOWED for match
>> 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0
>> 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0
>> 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520
>> 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520
>>
>> Thanks for help
>> Patrick
>>
>> Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
>>> Many Thanks Alex. I will try in the next hours and let you if I am
>>> successful.
>>>
>>> Patrick
>>>
>>>
>>> Le 16/11/2016 à 20:04, Alex Crow a écrit :
>>>>
>>>> On 16/11/16 17:33, Patrick Chemla wrote:
>>>>> Thanks for your answers, I am not doing anything illegal, I am
>>>>> trying to
>>>>> build a performant platform.
>>>>>
>>>>> I have a big server running about 10 different websites.
>>>>>
>>>>> I have on this server virtual machines, each specialized for one-some
>>>>> websites, and squid help me to send the traffic to the destination
>>>>> website on the internal VM according to the URL.
>>>>>
>>>>> Some VMs are paired, so squid will loadbalance the traffic on
>>>>> group of
>>>>> VMs according to the URL/acls.
>>>>>
>>>>> All this works in HTTP, thanks to Amos advices few weeks ago.
>>>>>
>>>>> Now, I need to set SSL traffic, and because the domains are
>>>>> different I
>>>>> need to use different IPs:443 to be able to use different
>>>>> certificates.
>>>>>
>>>>> I tried many times in the past to make squid working in SSL and never
>>>>> succeed because of so many options, and this question: Does the
>>>>> traffic
>>>>> between squid and the backend should be SSL? If yes, it's OK for me.
>>>>> nothing illegal.
>>>>>
>>>>> The second question: How to set up the SSL link on squid getting
>>>>> the SSL
>>>>> request and sending to the backend. Actually the backend can
>>>>> handle SSL
>>>>> traffic, it's OK for me if I find the way to make squid handle the
>>>>> traffic, according to the acls. squid must decrypt the request,
>>>>> compute
>>>>> the acls, then re-crypt to send to the backend.
>>>>>
>>>>> The reason I asked not to reencrypt is because of performances.
>>>>> All this
>>>>> is on the same server, from the host to the VMs and decrypt, the
>>>>> reencrypt, then decrypt will be ressources consumming. But I can
>>>>> do it
>>>>> like that.
>>>>>
>>>>> Now, do you have any Howto, clear, that will help? I found many on
>>>>> Google and not any gave me the solution working.
>>>>>
>>>>> The other question is about Trusted Certificates. We have on the
>>>>> websites trusted certificates. Should we use the same on the squid?
>>>>>
>>>>> Thanks for appeciate help
>>>>>
>>>>> Patrick
>>>>>
>>>>>
>>>> You are using a reverse proxy/web accelerator setup. Nothing you do
>>>> there will be illegal if you're using it for your own servers! You
>>>> should be able to use HTTP to the backend and just offer HTTPS from
>>>> squid. This will avoid loading the backend with encryption cycles. You
>>>> don't need any certificate generation as AFAIK you already have all
>>>> the
>>>> certs you need.
>>>>
>>>> See:
>>>>
>>>> http://wiki.squid-cache.org/SquidFaq/ReverseProxy
>>>>
>>>> for starters. You can adapt the wildcard example; if you have specific
>>>> certs for each domain, just listen on a different IP for each
>>>> domain and
>>>> set up multiple https_port with a different listening IP for each
>>>> site.
>>>> If you have a wildcard cert, ie *.mydomain.com, follow it directly.
>>>>
>>>> Here's a couple more:
>>>>
>>>> http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy 
>>>>
>>>>
>>>> (I found the above with a simple google for "squid reverse ssl proxy".
>>>> Google is your friend here... )
>>>>
>>>> http://www.squid-cache.org/Doc/config/https_port/
>>>>
>>>> That's as far as my knowledge goes on reverse in Squid, at my site we
>>>> use nginx.But AFAIK if you're doing what I think you're doing that
>>>> should be enough. Squid does have a lot of config parameters, but then
>>>> so does any other fully capable proxy server. Just focus on the parts
>>>> you need for your role and it will be much easier. Specifically ignore
>>>> bump/peek+splice, it's just for forward proxy.
>>>>
>>>> Alex
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted CA Certificate with ssl_bump

Amos Jeffries
Administrator
On 21/11/2016 11:44 p.m., Patrick Chemla wrote:

> Hi Alex, and all others
>
> No I have set it for multiple domains, and it works really fine. Again
> many thanks.
>
> But I have a new demand:
>
> Within one of the sites, where squid handles the https connexion then
> communicate with internal VM through http, there is one (at least, maybe
> we will find others), I don't kmow why, but the dev want them http only.
>
> When I come to the menu to this page, the app returns a http:// link to
> squid. Squid encrypts and send a https:// to the browser.,

No. Squid does nothing to the response payload.

What you are seeing as a "problem" is a natural side effect of telling
the origin server it is being contacted over plain-text HTTP.


> but then when
> the user hit the link, somme of the components of the page should stay
> http://, and there the browser detects a https page with http components
> embeded, and block them.
>
> Is there a way to tell squid to let http some link?
>

Squid is not doing anything to page links.


> My domain is domain.tld:
>
> the browser ask for https://domain.tld
>
> squid decrypt, recognize this domain, according to acl goes to the VM1,
> in http:// mode, not crypted.
>
> The site on VM1, return a page in http:// mode, with all links as http
> too,  and squid send it back crypted to the browser with all links
> embeded in https://

No. You have misunderstood what is going on:

- the browser contacts domain.tld on port 443 using TLS. sends a request
for domain.tld with some path.

- squid receives on port 443 and terminates/decrypts the TLS. finding
the HTTP messge inside requesting domain.tld with some path.

- squid contacts the VM1 and requests domain.tld with some path.

- the server produces some response+payload (HTTP payload is always
opaque data N bytes long).

- squid delivers the response message+payload back to browser over the
TLS connection.

That is *all* that happens.

>
> I want a special link on the page http://domain.tld/special/ to stay http.
>
> How I can instruct squid to leave it as it is, but all others?

Squid is already not touching it.

Squid by design does only the *transfer* (HTTP, HTTPS, etc) part of
transferring objects around. It intentionally does not to change what
those objects are.


The browser has been coded or configured to place unusual and painful
restrictions on what its user can do with it.

 - the browser could stop being so restrictive in the things it allows
its user to do. This kind of mix-match of URLs is common on the Internet.

 - the origin server could be "fixed" to use relative URLs instead of
absolute. Either relative-path or relative-scheme are easily done.

 - you might use ICAP/eCAP service(s) to transcode the response objects
internal strings. But that is very difficult to get right, so there will
always be some problems ocuring.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users