making proxy-int to talk to proxy-ext

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

making proxy-int to talk to proxy-ext

robert k Wild
hi all,

as i have configured both internal proxy (non internet facing) and external proxy (internet facing) from source, followed this guide -


it works if i comment out the ssl lines -

#SSL
#http_port 3128 ssl-bump \
#cert=/etc/squid/ssl_cert/myCA.pem \
#generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
#acl step1 at_step SslBump1
#ssl_bump peek step1
#ssl_bump bump all

but as soon as i uncomment them it breaks the link between both servers

this is the error i get from the internal proxy when it tries to contact the external proxy

https://i.postimg.cc/JzC29gh8/ssl.png
--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: making proxy-int to talk to proxy-ext

Alex Rousskov
On 11/26/19 10:54 AM, robert k Wild wrote:

> as i have configured both internal proxy (non internet facing) and
> external proxy (internet facing) from source,

Please show the essential parts of both internal and external Squid
configurations for the broken setup (at least).

It is difficult to guess what went wrong because the guide you are
quoting does not talk about internal and external proxy instances _and_,
in most cases, simply adding a valid http_port line has no effect on
test cases that worked before -- the new port will be unused by the old
test traffic. It is not even clear which proxy you are adding the
SslBump configuration to.


Thank you,

Alex.


> followed this guide -
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> it works if i comment out the ssl lines -
>
> #SSL
> #http_port 3128 ssl-bump \
> #cert=/etc/squid/ssl_cert/myCA.pem \
> #generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> #sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #acl step1 at_step SslBump1
> #ssl_bump peek step1
> #ssl_bump bump all
>
> but as soon as i uncomment them it breaks the link between both servers
>
> this is the error i get from the internal proxy when it tries to contact
> the external proxy
>
> https://i.postimg.cc/JzC29gh8/ssl.png
> --
> Regards,
>
> Robert K Wild.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: making proxy-int to talk to proxy-ext

robert k Wild
Hi Alex,

i have done some more troubleshooting and my external proxy is good, i get no errors and i have got one of my DMZ hosts connected to it and i can browse the web, but my internal proxy cant contact my external proxy, this is the error when i run it -

2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15
2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:          unknown protocol (1/-1/0)
2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128 failed
2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
2019/11/26 22:53:28| Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) (          1/0)

this is my config on my internal proxy -

#
# Recommended minimum configuration:
#

#SSL
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#squid proxy in DMZ on internet
cache_peer 172.16.55.21 parent 3128 0 default
acl all src all
http_access allow all
never_direct allow all

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

my external proxy uses the same config but without the lines "squid proxy in DMZ on internet"

thanks,
rob

On Tue, 26 Nov 2019 at 16:59, Alex Rousskov <[hidden email]> wrote:
On 11/26/19 10:54 AM, robert k Wild wrote:

> as i have configured both internal proxy (non internet facing) and
> external proxy (internet facing) from source,

Please show the essential parts of both internal and external Squid
configurations for the broken setup (at least).

It is difficult to guess what went wrong because the guide you are
quoting does not talk about internal and external proxy instances _and_,
in most cases, simply adding a valid http_port line has no effect on
test cases that worked before -- the new port will be unused by the old
test traffic. It is not even clear which proxy you are adding the
SslBump configuration to.


Thank you,

Alex.


> followed this guide -
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> it works if i comment out the ssl lines -
>
> #SSL
> #http_port 3128 ssl-bump \
> #cert=/etc/squid/ssl_cert/myCA.pem \
> #generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> #sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #acl step1 at_step SslBump1
> #ssl_bump peek step1
> #ssl_bump bump all
>
> but as soon as i uncomment them it breaks the link between both servers
>
> this is the error i get from the internal proxy when it tries to contact
> the external proxy
>
> https://i.postimg.cc/JzC29gh8/ssl.png
> --
> Regards,
>
> Robert K Wild.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: making proxy-int to talk to proxy-ext

Amos Jeffries
Administrator
On 27/11/19 11:56 am, robert k Wild wrote:

> Hi Alex,
>
> i have done some more troubleshooting and my external proxy is good, i
> get no errors and i have got one of my DMZ hosts connected to it and i
> can browse the web, but my internal proxy cant contact my external
> proxy, this is the error when i run it -
>
> 2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15
> 2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:          unknown protocol (1/-1/0)
> 2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128
> <http://172.16.55.21/3128> failed
> 2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
> 2019/11/26 22:53:28| Error negotiating SSL connection on FD 13:
> error:00000001:lib(0):func(0):reason(1) (          1/0)
>
> this is my config on my internal proxy -
>
> #
> # Recommended minimum configuration:
> #
>
> #SSL
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
...
> #squid proxy in DMZ on internet
> cache_peer 172.16.55.21 parent 3128 0 default
...
> never_direct allow all
>

So, all traffic MUST use the cache_peer which cannot handle TLS input.


You need to either configure TLS/SSL in the peer and set the cache_peer
line appropriately for that so this proxy can re-encrypt traffic going
there,

OR, upgrade to Squid-5 which has the ability to re-encrypt and send to a
regular peer proxy.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users