squid proxy 3.5 redhat 7.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

squid proxy 3.5 redhat 7.3

Madonna, A. (spir-it)

Hello,

 

Due to all the documentation on the internet, we still do not have the answer to the question or whether we can use ssl_bump https traffic to intercept https traffic using a cache_peer.

 

So our question is, can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).

 

Config example:

 

http_port 10.**********:8080 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB

http_port 127.0.0.1:8080 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB

https_port 127.0.0.1:8081 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 32 startup=5 idle=1

acl step1 at_step SslBump1

 

ssl_bump peek step1

 

cache_peer ************** parent 8080 0 no-query no-netdb-exchange no-digest name=*******

never_direct allow all

 

 

squid –v squid-3.5.20-2.el7.x86_64

 

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

 

 

kind regards,

 

Sandro




Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid proxy 3.5 redhat 7.3

Alex Rousskov
On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).

IIRC, you may be able to use limited SslBump features, but not the full
SslBump functionality: Peeking or staring at the origin server through a
cache_peer is not supported (yet).


> ssl_bump peek step1
> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest

Bugs notwithstanding, the above combination should work because peeking
at step1 does not require communication with a cache_peer and splicing
at step2 should follow the regular (non-SslBump) tunneling path for
CONNECTs, where modern Squids do support cache peers.


I recommend that you make everything work without a cache_peer and then
add a cache_peer.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FW: squid proxy 3.5 redhat 7.3

Madonna, A. (spir-it)
Hello Alex,

Our setup is as follows:

Clients -> squid proxy -> internet.
This works with the config as previously mentioned.

Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) -> internet

Does not work.

However I've also setup the following:

Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) -> internet

This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).

Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?


Kind regards,

-----Oorspronkelijk bericht-----
Van: Alex Rousskov [mailto:[hidden email]]
Verzonden: donderdag 1 juni 2017 18:49
Aan: Madonna, A. (spir-it) <[hidden email]>; [hidden email]
Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3

On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).

IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).


> ssl_bump peek step1
> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest

Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.


I recommend that you make everything work without a cache_peer and then add a cache_peer.

Alex.


________________________________

Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: squid proxy 3.5 redhat 7.3

Alex Rousskov
On 06/02/2017 01:37 AM, Madonna, A. (spir-it) wrote:

> Clients -> squid proxy -> internet.
> This works with the config as previously mentioned.

OK.


> Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) -> internet
> Does not work.

Even for regular HTTP traffic and non-bumped HTTPS traffic? If that
traffic does not work, then you have misconfigured something or the
Parent Proxy is badly broken. There is nothing special in the above
setup as far as regular traffic is concerned.


> However I've also setup the following:
>
> Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) -> internet
>
> This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).

Squid does not know who made the parent proxy. The fact that one
(presumably production-quality) proxy "does not work" and another "seems
to work" implies that something is seriously misconfigured in one or
both cases.


> Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?

I cannot shed more light on problems described only as "does not work"
and "no traffic".

Alex.


> -----Oorspronkelijk bericht-----
> Van: Alex Rousskov [mailto:[hidden email]]
> Verzonden: donderdag 1 juni 2017 18:49
> Aan: Madonna, A. (spir-it) <[hidden email]>; [hidden email]
> Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3
>
> On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
>> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).
>
> IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).
>
>
>> ssl_bump peek step1
>> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest
>
> Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.
>
>
> I recommend that you make everything work without a cache_peer and then add a cache_peer.
>
> Alex.
>
>
> ________________________________
>
> Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FW: FW: squid proxy 3.5 redhat 7.3

Madonna, A. (spir-it)
Hello,


Know issue 2012 squid proxy 3.2

http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1
•SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.

+ 5 years ago this already  was a known issue. Apparently even after + 5 years there is still proper solution. Can we expect anything regarding this in the near future?

This person already describes the issue in his blog and  offers a solution although its not perfect.

https://www.mydlp.com/using-parent-proxy-ssl-bump-enabled-squid-3-2/


also it is still not clear to me if the traffic is encrypted again after leaving the squid proxy when doing ssl bump when using a parent proxy.
Ssl_bump according to your wiki states that it decrypts and encrypts. However is it true if you are using a parent proxy (cache_peer) that the decrypted traffic does not get re-encrypted anymore, but is send clear text through the cache_peer ?


-----Oorspronkelijk bericht-----
Van: Alex Rousskov [mailto:[hidden email]]
Verzonden: vrijdag 2 juni 2017 17:59
Aan: Madonna, A. (spir-it) <[hidden email]>; [hidden email]
Onderwerp: Re: [squid-users] FW: squid proxy 3.5 redhat 7.3

On 06/02/2017 01:37 AM, Madonna, A. (spir-it) wrote:

> Clients -> squid proxy -> internet.
> This works with the config as previously mentioned.

OK.


> Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid)
> -> internet Does not work.

Even for regular HTTP traffic and non-bumped HTTPS traffic? If that traffic does not work, then you have misconfigured something or the Parent Proxy is badly broken. There is nothing special in the above setup as far as regular traffic is concerned.


> However I've also setup the following:
>
> Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy)
> -> internet
>
> This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).

Squid does not know who made the parent proxy. The fact that one (presumably production-quality) proxy "does not work" and another "seems to work" implies that something is seriously misconfigured in one or both cases.


> Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?

I cannot shed more light on problems described only as "does not work"
and "no traffic".

Alex.


> -----Oorspronkelijk bericht-----
> Van: Alex Rousskov [mailto:[hidden email]]
> Verzonden: donderdag 1 juni 2017 18:49
> Aan: Madonna, A. (spir-it) <[hidden email]>;
> [hidden email]
> Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3
>
> On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
>> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).
>
> IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).
>
>
>> ssl_bump peek step1
>> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest
>
> Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.
>
>
> I recommend that you make everything work without a cache_peer and then add a cache_peer.
>
> Alex.
>
>
> ________________________________
>
> Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FW: FW: squid proxy 3.5 redhat 7.3

Alex Rousskov
On 06/06/2017 08:22 AM, Madonna, A. (spir-it) wrote:

> Know issue 2012 squid proxy 3.2
>
> http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1
> •SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.

> + 5 years ago this already  was a known issue. Apparently even after
> + 5 years there is still proper solution. Can we expect anything
> regarding this in the near future?

FWIW, I am not aware of anybody working on this problem. Going forward,
your options include those outlined at the following FAQ entry:

http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


> This person already describes the issue in his blog and  offers a solution although its not perfect.

> https://www.mydlp.com/using-parent-proxy-ssl-bump-enabled-squid-3-2/

Yes, one can replace one problem with another. Or, to be more precise,
since we are apparently talking about going back to Squid v3.2, one can
replace one problem with a large bag of different problems. Pick your
poison.


> also it is still not clear to me if the traffic is encrypted again
> after leaving the squid proxy when doing ssl bump when using a parent
> proxy.

Bugs notwithstanding, the HTTPS traffic leaving moderns Squids is
encrypted. The workaround at the above link re-introduces an old bug
that allows Squid to emit decrypted traffic.

Alex.


> -----Oorspronkelijk bericht-----
> Van: Alex Rousskov [mailto:[hidden email]]
> Verzonden: vrijdag 2 juni 2017 17:59
> Aan: Madonna, A. (spir-it) <[hidden email]>; [hidden email]
> Onderwerp: Re: [squid-users] FW: squid proxy 3.5 redhat 7.3
>
> On 06/02/2017 01:37 AM, Madonna, A. (spir-it) wrote:
>
>> Clients -> squid proxy -> internet.
>> This works with the config as previously mentioned.
>
> OK.
>
>
>> Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid)
>> -> internet Does not work.
>
> Even for regular HTTP traffic and non-bumped HTTPS traffic? If that traffic does not work, then you have misconfigured something or the Parent Proxy is badly broken. There is nothing special in the above setup as far as regular traffic is concerned.
>
>
>> However I've also setup the following:
>>
>> Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy)
>> -> internet
>>
>> This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).
>
> Squid does not know who made the parent proxy. The fact that one (presumably production-quality) proxy "does not work" and another "seems to work" implies that something is seriously misconfigured in one or both cases.
>
>
>> Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?
>
> I cannot shed more light on problems described only as "does not work"
> and "no traffic".
>
> Alex.
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Alex Rousskov [mailto:[hidden email]]
>> Verzonden: donderdag 1 juni 2017 18:49
>> Aan: Madonna, A. (spir-it) <[hidden email]>;
>> [hidden email]
>> Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3
>>
>> On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
>>> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).
>>
>> IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).
>>
>>
>>> ssl_bump peek step1
>>> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest
>>
>> Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.
>>
>>
>> I recommend that you make everything work without a cache_peer and then add a cache_peer.
>>
>> Alex.
>>
>>
>> ________________________________
>>
>> Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...