https debug

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

https debug

sampei02@tiscali.it
I'm using application which uses https protocol by Squid  3.5.20 and It often occurs application timeout and other problems to use this software.
I tried to use application without Squid, bypassing it, and It works fine.
How can I find out where Squid could create problems to this application?
I tried to enable "debug_options ALL,2" feature but it's very hard to understand, suggestions please?



Con OpenStar hai Giga, SMS e i minuti che vuoi da 4,99€ al mese, per sempre. Cambi gratis quando e come vuoi e in più hai 10€ di credito omaggio e 6 mesi di INFINTY! http://tisca.li/myopen


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https debug

Amos Jeffries
Administrator
On 31/12/18 10:48 pm, Sampei wrote:
> I'm using application which uses https protocol by Squid  3.5.20 and It
> often occurs application timeout and other problems to use this software.

Please explain with more details about what this setup actually is.
There are many very different ways to "uses https protocol by Squid"
<https://wiki.squid-cache.org/Features/HTTPS>


> I tried to use application without Squid, bypassing it, and It works fine.
> How can I find out where Squid could create problems to this application?
> I tried to enable "debug_options ALL,2" feature but it's very hard to
> understand, suggestions please?
>

Upgrade Squid? Current release is 4.4, soon to be 4.5.

The old 3.5.* series lacks a lot of TLS feature support and polishing of
the Squid behaviours.

If the Squid logs do not contain the desired info you can always look at
a packet trace of the traffic.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https debug

Amos Jeffries
Administrator
On 2/01/19 10:30 pm, Sampei wrote:
> About way to use https protocol I think I use connect tunnel, here

When a CONNECT tunnel is being used and not SSL-Bump'ed then all TLS
related issues are problems with one of the endpoint software. Not
related to the proxy at all. Squid is just blindly relaying the TLS
bytes as-is between the endpoints.

That said, some specific configs may encounter issues due to explicitly
telling Squid to do certain things which cannot be done to CONNECT
tunnels (eg. URL-rewrite, ACL checks of path strings), or to deny the
CONNECT which obviously would make the TLS not "work" at all.


I suspect that in your case some other port is involved which you do not
know about and are thus not letting through Squid. The access.log should
show what Squid is dealing with there.


> parttial of my squid.conf
>
>
> acl SSL_ports port 443          # https
> acl SSL_ports port 563          # snews
> ...
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> ...
> http_access deny CONNECT !SSL_ports

Okay, but should be following the Safe_ports check. The default config
orders these checks by how common it is to encounter the attack types
they exist to prevent.

> http_access deny CONNECT !Safe_ports

The default config uses this instead:

 http_access deny !Safe_ports

The purpose of this Safe_ports ACL is to prevent the proxy handling
*any* traffic for protocols whose traffic syntax directly conflicts with
HTTP traffic syntax.

By limiting this check to only CONNECT messages, you are opening your
proxy to most of the attacks the Safe_port ACL was designed to prevent.



> acl test dstdomain example.com
> http_access allow test
> http_access allow CONNECT test

This latter is pointless. "test" was already allowed, so this line is
never reached by any traffic which it can match.


> I think to upgrade 4.x Squid but I'm looking for valid repository for
> Centos 7 which contains this pkg.

The official repositories for CentOS are detailed at
<https://wiki.squid-cache.org/KnowledgeBase/CentOS>

(I see that page needs an update Eliezer now has 4.4 in his main CentOS
repository <http://www1.ngtech.co.il/repo/centos/7/x86_64/>)


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https debug

Eliezer Croitoru
You probably meant 4.5...
http://www1.ngtech.co.il/repo/centos/7/x86_64/squid-4.5-1.el7.x86_64.rpm

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, January 2, 2019 12:01
To: [hidden email]
Subject: Re: [squid-users] https debug

On 2/01/19 10:30 pm, Sampei wrote:
> About way to use https protocol I think I use connect tunnel, here

When a CONNECT tunnel is being used and not SSL-Bump'ed then all TLS
related issues are problems with one of the endpoint software. Not
related to the proxy at all. Squid is just blindly relaying the TLS
bytes as-is between the endpoints.

That said, some specific configs may encounter issues due to explicitly
telling Squid to do certain things which cannot be done to CONNECT
tunnels (eg. URL-rewrite, ACL checks of path strings), or to deny the
CONNECT which obviously would make the TLS not "work" at all.


I suspect that in your case some other port is involved which you do not
know about and are thus not letting through Squid. The access.log should
show what Squid is dealing with there.


> parttial of my squid.conf
>
>
> acl SSL_ports port 443          # https
> acl SSL_ports port 563          # snews
> ...
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> ...
> http_access deny CONNECT !SSL_ports

Okay, but should be following the Safe_ports check. The default config
orders these checks by how common it is to encounter the attack types
they exist to prevent.

> http_access deny CONNECT !Safe_ports

The default config uses this instead:

 http_access deny !Safe_ports

The purpose of this Safe_ports ACL is to prevent the proxy handling
*any* traffic for protocols whose traffic syntax directly conflicts with
HTTP traffic syntax.

By limiting this check to only CONNECT messages, you are opening your
proxy to most of the attacks the Safe_port ACL was designed to prevent.



> acl test dstdomain example.com
> http_access allow test
> http_access allow CONNECT test

This latter is pointless. "test" was already allowed, so this line is
never reached by any traffic which it can match.


> I think to upgrade 4.x Squid but I'm looking for valid repository for
> Centos 7 which contains this pkg.

The official repositories for CentOS are detailed at
<https://wiki.squid-cache.org/KnowledgeBase/CentOS>

(I see that page needs an update Eliezer now has 4.4 in his main CentOS
repository <http://www1.ngtech.co.il/repo/centos/7/x86_64/>)


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https debug

Amos Jeffries
Administrator
On 21/01/19 11:15 am, Eliezer Croitoru wrote:
> You probably meant 4.5...
> http://www1.ngtech.co.il/repo/centos/7/x86_64/squid-4.5-1.el7.x86_64.rpm
>

Time travel ...

> -----Original Message-----
> From: Amos Jeffries
> Sent: Wednesday, January 2, 2019 12:01

... back when 4.4 was all you had.

;-P

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https debug

Eliezer Croitoru
I didn't knew it's such a known repo.
It's weird when someone in the street recognized me and identified me as the Squid-Cache RPM repo .

Or in japanse " Hazukashī ".

:D

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: Amos Jeffries [mailto:[hidden email]]
Sent: Monday, January 21, 2019 10:10
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] https debug

On 21/01/19 11:15 am, Eliezer Croitoru wrote:
> You probably meant 4.5...
> http://www1.ngtech.co.il/repo/centos/7/x86_64/squid-4.5-1.el7.x86_64.rpm
>

Time travel ...

> -----Original Message-----
> From: Amos Jeffries
> Sent: Wednesday, January 2, 2019 12:01

... back when 4.4 was all you had.

;-P

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users