squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Jason Chiu
I had a FreeBSD 9.1 bridge (em0, em1) environment,
Use "pf rdr to" redirect HTTPS (port 443) packets to squid (squid 127.0.0.1: 3129)

Squid 3.3.11 ssl bump is OK.


The following is the setting of squid 3.3.11

Squid Cache: Version 3.3.11-20140220-r12672
Configure options: '--prefix = / usr / local / squid' '--sysconfdir = / etc / squid' '--localstatedir = / var / squid' '--datadir = / usr / share / squid' Enable-icap-client '' --enable-ssl '' --with-pthreads '' --enable-pf-transparent '' --enable-ssl-crtd '' --enable-ecap '' PKG_CONFIG_PATH = / usr / Local / lib / pkgconfig '--enable-ltdl-convenience


Recently in order to allow squid can signing generated sha256 certificates  ,

upgrade squid to 3.5.24 version.


But ssl bump  is not OK

Access.log always appears the following message:
1495699856.074      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -
1495699857.720      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -
1495701676.054      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -
1495701676.717      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -
1495701677.060      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -
1495701677.354      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129 - HIER_NONE/- -

Need to adjust which part of the settings?



The following is my settings:

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/squid' '--datadir=/usr/share/squid' '--enable-icap-client' '--enable-ssl' '--with-pthreads' '--enable-pf-transparent' '--enable-ssl-crtd' '--enable-ecap' '--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' --enable-ltdl-convenience

------------
squid.conf
------------
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

#http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all

# sslcrtd
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M 10MB
sslcrtd_children 5

# sslproxy setting
sslproxy_capath /var/squid/ssl_db/certs
sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
#sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cert_error allow all
sslproxy_cert_adapt setValidAfter all

sslproxy_flags DONT_VERIFY_PEER

----------------------------------------
pf.conf
---------------------------------------
#internal interface
int_if = '{em1}'

# Normalization: reassemble fragments resolve or reduce traffic ambiguities.
scrub in all
set skip on lo0

#sslTP rdr setting
rdr_from = 'any'
rdr_to = 'any;
rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 -> 127.0.0.1 port 3129
pass in all no state
pass out all no state
pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any keep state
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Alex Rousskov
On 06/07/2017 03:37 AM, Jason Chiu wrote:

> 1495699856.074      0 192.168.95.81 TCP_DENIED/200 0 CONNECT 127.0.0.1:3129

> *Need to adjust which part of the settings?*

If that connection is really trying to connect to 127.0.0.1:3129 from
Squid point of view, then your interception setup is probably deficient.
Intercepted to-port 443 connections should be seen by Squid as going to
port 443 (while being received at Squid port 3129). Interception is not
(or should not be) just port redirection. This has nothing to do with
Squid configuration though.

Once you fix interception (or if you refuse to fix it), if Squid is
denying access, then you should adjust your http_access rules. Your
rules must allow fake CONNECT request that represent intercepted HTTPS
connections. For example, the above TCP_DENIED line is probably logged
because your current interception setup triggers this (correct) rule:

> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports


And yes, it might have "worked" in the past because earlier Squids were
doing fewer checks that they should be doing.

Alex.


> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/squid/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> #http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump bump all
>
> # sslcrtd
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/squid/ssl_db -M
> 10MB
> sslcrtd_children 5
>
> # sslproxy setting
> sslproxy_capath /var/squid/ssl_db/certs
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
> #sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslproxy_cert_error allow all
> sslproxy_cert_adapt setValidAfter all
>
> sslproxy_flags DONT_VERIFY_PEER
>
> ----------------------------------------
> pf.conf
> ---------------------------------------
> #internal interface
> int_if = '{em1}'
>
> # Normalization: reassemble fragments resolve or reduce traffic ambiguities.
> scrub in all
> set skip on lo0
>
> #sslTP rdr setting
> rdr_from = 'any'
> rdr_to = 'any;
> rdr on $int_if inet proto tcp from $rdr_from to $rdr_to port 443 ->
> 127.0.0.1 port 3129
> pass in all no state
> pass out all no state
> pass in quick on $int_if route-to lo0 inet proto tcp from $rdr_from to any
> keep state
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-5-ssl-bump-intercept-TCP-DENIED-200-on-bridge-mode-tp4682712.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Jason Chiu
This post was updated on .
test case 1 :
-----------------------------------------
I changed my squid setting (don't use intercept mode)

http_port 3129 ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

than client Web Browser set proxy to 192.168.95.81:3129

squid ssl-bump  OK
squid access.log has the client access log.

test case 2:
-----------------------------------------
but I want use transparent mode (intercept with PF rdr).
in intercept mode add the following acl rule :

acl bumpedPorts myportname 3129
http_access allow CONNECT bumpedPorts
.....
https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

access.log no appear TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
but client web browser has been waiting and no response.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Amos Jeffries
Administrator
On 09/06/17 16:05, Jason Chiu wrote:

> test case 2:
> -----------------------------------------
> but I want use transparent mode (intercept with PF rdr).
> intercept mode add the following acl rule :
>
> acl bumpedPorts myportname 3129
> http_access allow CONNECT bumpedPorts
> .....
> https_port 3129 intercept ssl-bump cert=/usr/local/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> access.log no appear TCP_DENIED/200 0 CONNECT 127.0.0.1:3129
> but client web browser has been waiting and no response.

Ah, sorry I should have remembered this earlier:
<http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4>

TL;DR:  Add --with-nat-devpf to your build options for FreeBSD.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid 3.5 ssl-bump intercept TCP_DENIED/200 on bridge mode

Jason Chiu
I reconfigured  add " --with-nat-devpf " (squid-3.5.24 on FreeBSD 9.1)

This issue has been resolved
thanks to Amos Jeffries

The follow is my squid version and configure.

Squid Cache: Version 3.5.24-20170331-r14150
Service Name: squid
configure options:  '--prefix=/usr/local/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/squid' '--datadir=/usr/share/squid' '--enable-icap-client' '--enable-ssl' '--with-pthreads' '--enable-pf-transparent' '--with-nat-devpf' '--enable-ssl-crtd' '--enable-ecap' '--with-openssl' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' --enable-ltdl-convenience


Loading...