squid 3.5.27 . https website

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 3.5.27 . https website

G~D~Lunatic
i use squid 3.5.27 as a transparent proxy. With the proxy , i access some https websites like www.hupu.com. But the webpage does not show correctly.  There are some websizes similar such as https://www.zhihu.com , https://www.jd.com/ . So i want to know where problem is or how to deal with it.

The webpage remind like"   s1.hdslb.com used an invalid security certificate. This certificate is valid for the following domain names only: * .zhaopin.com, * .zhaopin.cn, * .dpfile.com, * .cdn.myqcloud.com, * .sogoucdn. SSL error code: SSL_ERROR_BAD_CERT_DOMAIN  "

how can i send a screenshot to explain?
Here is my configure
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow all

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
acl NCACHE method GET
no_cache deny NCACHE

# And finally deny all other access to this proxy
request_header_access Via deny all #hide squid header
request_header_access X-Forwarded-For deny all #hide squid header
#request_timeout 2 minutes #client request timeout

# Squid normally listens to port 3128
http_port 3120

http_port 3128 intercept

https_port 192.168.51.115:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem
always_direct allow all
ssl_bump server-first all
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice all

sslproxy_version 0
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

#Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
ipcache_size 1024 MB
ipcache_low 70
ipcache_high 95
fqdncache_size 1024 MB
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95


# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5.27 . https website

Amos Jeffries
Administrator
On 17/11/17 15:32, G~D~Lunatic wrote:
> i use squid 3.5.27 as a transparent proxy.

Small correction: You have configured NAT interception proxy with
SSL-Bump'ing. Not truly transparent.
  There are some vital differences. Most specific to your case is that
interception proxies do alter the traffic in significant ways (not
transparently relay as-is).


> With the proxy , i access
> some https websites like www.hupu.com. But the
> webpage does not show correctly.  There are some websizes similar such
> as https://www.zhihu.com, https://www.jd.com/. So i want to know where problem is or how to
> deal with it.
>
> The webpage remind like"   s1.hdslb.com used an invalid security
> certificate. This certificate is valid for the following domain names
> only: * .zhaopin.com, * .zhaopin.cn, * .dpfile.com, * .cdn.myqcloud.com,
> * .sogoucdn. SSL error code: SSL_ERROR_BAD_CERT_DOMAIN  "
>
> how can i send a screenshot to explain?
> Here is my configure
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> http_access allow all

*Extremely* unsafe configuration. This proxy is now an "open proxy".
Anybody can abuse it for any use whatsoever.

Combined with how you have disabled below recording of all TLS traffic
problems (and thus hacking attempts) and do server-first bumping of
clients what you end up with is a remarkably dangerous piece of software
whose most useful property is being a way to attack your network. :-(



>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> acl NCACHE method GET
> no_cache deny NCACHE

"no_cache" is an deprecated directive. It was removed because it
confused people. Delete the "no_" prefix.


Also, most other methods are not cacheable. So why not do it the simple way?

  cache deny all
or
  store_miss deny all


>
> # And finally deny all other access to this proxy
> request_header_access Via deny all #hide squid header
> request_header_access X-Forwarded-For deny all #hide squid header
> #request_timeout 2 minutes #client request timeout
>

The above is a very slow and nasty way to perform:

  via off
  forwarded_for delete


Though if you want to be transparent, use these instead:
  via off
  forwarded_for transparent


> # Squid normally listens to port 3128
> http_port 3120
>
> http_port 3128 intercept
>
> https_port 192.168.51.115:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem
> always_direct allow all

The use of "always_direct allow all" is a now useless workaround for a
long ago fixed bug. No version of Squid available in any distro today
needs it.


> ssl_bump server-first all
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice all

You are mixing up rules from multiple different versions of the SSL-Bump
feature.

"server-first" is equivalent to:

  ssl_bump peek ssl_step1
  ssl_bump bump all

It overrides all the ssl_bump lines following it.


>
> sslproxy_version 0
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Remove all three of the above lines. You may then be able to see what is
going on if the errors are in the TLS layer.

All these lines do is hide errors and network abuse from *you*, the
admin. Not your clients or users - they will still get errors.


I think your problem is that the bumping done by "server-first" is
clashing with several modern TLS features that sites use. You will not
be able to see which problem it is though until you re-enable recording
and display of TLS issues.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users