squid ssl-bump with icap returns 503

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

squid ssl-bump with icap returns 503

Niels Hofmans
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Eliezer Croitoru-3
Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<[hidden email]>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Niels Hofmans
Hi,

I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?

So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:

OPTIONS <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206

ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111

CONNECT //ironpeak.be:443/blog/big-sur-t2rminator/ HTTP/1.1  <<<< here is my bug
User-Agent: curl/7.64.1

But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0

..TLS ciphertext..    <<<<. No more ICAP requests


Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.

Regards,
Niels Hofmans
SITE   https://ironpeak.be

On 4 Mar 2021, at 12:01, NgTech LTD <[hidden email]> wrote:

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<[hidden email]>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Niels Hofmans
Hi,

Interestingly this seems to work on a http_proxy listener:

http_port 0.0.0.0:3129 ssl-bump \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key
#tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

always_direct allow all
ssl_bump bump all

But with https_port, I require tproxy/intercept which if I configure it returns:

http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump intercept \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
1614859887.972      0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -


And:

http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump tproxy \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

FATAL: https_port: TPROXY support in the system does not work.


Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 12:21, Niels Hofmans <[hidden email]> wrote:

Hi,

I think I may have found an issue: it only seems to ICAP the CONNECT request, whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?

So my original implementation did not check for the HTTP method in ICAP, so it returned the wrong CONNECT hostname:

OPTIONS <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206

ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111

CONNECT //ironpeak.be:443/blog/big-sur-t2rminator/ HTTP/1.1  <<<< here is my bug
User-Agent: curl/7.64.1

But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:

CONNECT ironpeak.be:443 HTTP/1.1
User-Agent: curl/7.64.1

REQMOD <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/ ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204

ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0

..TLS ciphertext..    <<<<. No more ICAP requests


Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.

Regards,
Niels Hofmans
SITE   https://ironpeak.be

On 4 Mar 2021, at 12:01, NgTech LTD <[hidden email]> wrote:

Would it be possible to dump some icap traffic so we would be able to understand what might cause this issue if at all?

Eliezer

בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans ‏<[hidden email]>:
Hi guys,

I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.comhttps://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately

I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?

Config:

visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all

Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443 - HIER_NONE/- -

< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0


Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8  301 1614853320        -1 1614853320 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/
1614853320.748    302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET http://ironpeak.be/blog/big-sur-t2rminator/ - HIER_DIRECT/104.21.60.47 text/plain

Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129" curl -vvv --proxy-insecure http://ironpeak.be/

Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5

Many thanks!
Regards,
Niels Hofmans

SITE   https://ironpeak.be
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Amos Jeffries
Administrator
In reply to this post by Niels Hofmans
On 4/03/21 11:36 pm, Niels Hofmans wrote:

> Hi guys,
>
> I’m asking here but since I’m not too comfortable with a mailing list,
> it’s also on serverfault.com <http://serverfault.com>:
> https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately 
> <https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>
>
> I have an odd issue that squid will return a HTTP 503 when I try to do
> ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
> Any ideas?
>
> Config:
>
> visible_hostname proxy
> forwarded_for delete
> via off
> httpd_suppress_version_string on
> logfile_rotate 0
> cache_log stdio:/dev/stdout
> access_log stdio:/dev/stdout
> cache_store_log stdio:/dev/stdout
> dns_v4_first on
> cache_dir ufs /cache 100 16 256
> pid_filename /cache/squid.pid
> mime_table /usr/share/squid/mime.conf
> http_port 0.0.0.0:3128
> https_port 0.0.0.0:3129 \
>      generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
>      tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key


Neither of these Squid listening ports do SSL-Bump (aka. interception of
TLS) in any way.

The first receives normal HTTP forward/explicit proxy traffic over TCP.

The second receives normal HTTP forward/explicit proxy traffic over TLS
(aka "TLS explicit proxy"). Not to be confused with HTTPS (https:// URLs).



> ssl_bump peek all
> ssl_bump bump all
> quick_abort_min 0
> quick_abort_max 0
> quick_abort_pct 95
> pinger_enable off
> icap_enable on
> icap_service_failure_limit -1
> icap_service service_req reqmod_precache bypass=0
>   icap://10.10.0.119:1344/
> icap_preview_enable on
> adaptation_access service_req allow all
> cache_mem 512 mb
> dns_nameservers 1.1.1.1 1.0.0.1
> cache_effective_user proxy
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
> sslproxy_cert_error allow all
> http_access allow all
>
> Log line HTTPS when it doesn’t work:
> 1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443
>  - HIER_NONE/- -

This is a https:// request which the client is tunneling (CONNECT)
through a forward/explicit proxy.


>
> < HTTP/1.1 503 Service Unavailable
> < Server: squid
> < Mime-Version: 1.0
> < Date: Thu, 04 Mar 2021 10:36:05 GMT
> < Content-Type: text/html;charset=utf-8
> < Content-Length: 1849
> < X-Squid-Error: ERR_DNS_FAIL 0
>
>
> Log line HTTP when it does work:
>    -1 1614851916 text/plain 60/60 GET
> http://ironpeak.be/blog/big-sur-t2rminator/ 


As you can see this is *not* an HTTPS (https://) request. It is a normal
HTTP (http://) request sent to a proxy over TLS - which is what your
port 3129 is expecting.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Niels Hofmans
Hi Amos,

Thank you for getting back to me.
So if ssl-bump is required on the http(s)_port directive, I end up at:

http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 ssl-bump intercept \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key

always_direct allow all
ssl_bump bump all

This however ends up with following logs:

2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory
2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33
2021/03/04 12:37:43 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33
1614861463.880      0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -

Command to reproduce:

 % ALL_PROXY="http://127.0.0.1:3129" curl -k -vvv --proxy-insecure -X POST --data 'foo' https://ironpeak.be/


Regards,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 13:25, Amos Jeffries <[hidden email]> wrote:

On 4/03/21 11:36 pm, Niels Hofmans wrote:
Hi guys,
I’m asking here but since I’m not too comfortable with a mailing list, it’s also on serverfault.com <http://serverfault.com>: https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately <https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>
I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?
Config:
visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 \
    generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
    tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key


Neither of these Squid listening ports do SSL-Bump (aka. interception of TLS) in any way.

The first receives normal HTTP forward/explicit proxy traffic over TCP.

The second receives normal HTTP forward/explicit proxy traffic over TLS (aka "TLS explicit proxy"). Not to be confused with HTTPS (https:// URLs).



ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0   <a href="icap://10.10.0.119:1344/" class="">icap://10.10.0.119:1344/
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all
Log line HTTPS when it doesn’t work:
1614853306.542     40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443  - HIER_NONE/- -

This is a https:// request which the client is tunneling (CONNECT) through a forward/explicit proxy.


< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0
Log line HTTP when it does work:
  -1 1614851916 text/plain 60/60 GET http://ironpeak.be/blog/big-sur-t2rminator/


As you can see this is *not* an HTTPS (https://) request. It is a normal HTTP (http://) request sent to a proxy over TLS - which is what your port 3129 is expecting.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Amos Jeffries
Administrator
On 5/03/21 1:39 am, Niels Hofmans wrote:
> Hi Amos,
>
> Thank you for getting back to me.
> So if ssl-bump is required on the http(s)_port directive, I end up at:
>

https_port simply means TLS is the transport protocol. The transport is
terminated at the proxy. There are many permutations of what is being
done inside that TLS.

So no http_port does not require "ssl-bump".

Squid does not support TLS-inside-TLS encryption layering. Which is why
"ssl-bump" only works for "intercept" or "tproxy" modes on that port
directive.




> http_port 0.0.0.0:3128
> https_port 0.0.0.0:3129 ssl-bump intercept \
>      generate-host-certificates=ondynamic_cert_mem_cache_size=10MB \
>      cert=/etc/squid/ssl/squid.crtkey=/etc/squid/ssl/squid.key \
>      tls-cert=/etc/squid/ssl/squid.crttls-key=/etc/squid/ssl/squid.key
>
> always_direct allow all
> ssl_bump bump all
>
>
> This however ends up with following logs:
>
> 2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
> local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No
> such file or directory

Which means your NAT systems have no records of port 443 being diverted
to port 3129.


> Command to reproduce:
>
>   % ALL_PROXY="http://127.0.0.1:3129 <http://127.0.0.1:3129>" curl -k
> -vvv --proxy-insecure -X POST --data 'foo' https://ironpeak.be/ 
> <https://ironpeak.be/>
>

Correct test command for "https_port 3129 intercept ssl-bump" is:

   curl --cacert /etc/squid/ssl/squid.crt -vvv \
        -X POST --data 'foo' https://ironpeak.be/

This verifies that the system is diverting traffic to the proxy, the
proxy is the TLS agent for those connections, and that connectivity
through the proxy is working.
  TLS failure to verify the cert(s) indicate the proxy is not being reached.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid ssl-bump with icap returns 503

Niels Hofmans
Hi Amos,

Just to get back to this, the conclusion is that https_port does not support ssl-bump of requests passing through CONNECT.
I’ll terminate the TLS connection in front of squid through a load balancer and use http_port, which works fine.
Thank you!

Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 4 Mar 2021, at 14:21, Amos Jeffries <[hidden email]> wrote:

On 5/03/21 1:39 am, Niels Hofmans wrote:
Hi Amos,
Thank you for getting back to me.
So if ssl-bump is required on the http(s)_port directive, I end up at:

https_port simply means TLS is the transport protocol. The transport is terminated at the proxy. There are many permutations of what is being done inside that TLS.

So no http_port does not require "ssl-bump".

Squid does not support TLS-inside-TLS encryption layering. Which is why "ssl-bump" only works for "intercept" or "tproxy" modes on that port directive.




http_port 0.0.0.0:3128
https_port 0.0.0.0:3129 ssl-bump intercept \
    generate-host-certificates=ondynamic_cert_mem_cache_size=10MB \
    cert=/etc/squid/ssl/squid.crtkey=/etc/squid/ssl/squid.key \
    tls-cert=/etc/squid/ssl/squid.crttls-key=/etc/squid/ssl/squid.key
always_direct allow all
ssl_bump bump all
This however ends up with following logs:
2021/03/04 12:37:43 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.17.0.2:3129 remote=172.17.0.1:55508 FD 13 flags=33: (2) No such file or directory

Which means your NAT systems have no records of port 443 being diverted to port 3129.


Command to reproduce:
 % ALL_PROXY="http://127.0.0.1:3129 <http://127.0.0.1:3129>" curl -k -vvv --proxy-insecure -X POST --data 'foo' https://ironpeak.be/ <https://ironpeak.be/>

Correct test command for "https_port 3129 intercept ssl-bump" is:

 curl --cacert /etc/squid/ssl/squid.crt -vvv \
      -X POST --data 'foo' https://ironpeak.be/

This verifies that the system is diverting traffic to the proxy, the proxy is the TLS agent for those connections, and that connectivity through the proxy is working.
TLS failure to verify the cert(s) indicate the proxy is not being reached.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users